Community discussions

MikroTik App

Search found 893 matches

by vecernik87
Mon Feb 05, 2024 12:29 am
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253239

Re: v7.13.3 [stable] is released!

@foraster: Regarding hap ac2 lack of space, mikrotik could partition the router OS main package into smaller packages (again) and let the user choose the functions he wants to install. I don't believe so. It has been already explained that separating packages creates a lot of overhead - wasted spac...
by vecernik87
Sun Feb 04, 2024 1:59 am
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253239

Re: v7.13.3 [stable] is released!

One of my hAP ac2 running v7.13.2 had an interesting and totally unwanted behavior earlier today: VPNs went down (thats how I noticed) config in winbox looked wrong (e.g. ovpn server was showing not enabled and port set to "1") couldn't make export - the "in progress" file got st...
by vecernik87
Fri Sep 01, 2023 10:02 am
Forum: Scripting
Topic: How to add color to output
Replies: 17
Views: 9313

Re: How to add color to output

Excelent. Now we got coloring in the terminal. How long until someone ports the DOOM into ROS CLI?
by vecernik87
Wed Aug 02, 2023 5:06 am
Forum: General
Topic: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8
Replies: 427
Views: 120544

Re: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8

I have my CRS354-48P-4S+2Q+ r2 for two years now, without any issue. Maybe I am doing something wrong?
by vecernik87
Tue Jun 06, 2023 4:40 am
Forum: General
Topic: How to block Adguard LOCAL VPN
Replies: 18
Views: 1945

Re: How to block Adguard LOCAL VPN

SSTP can be detected using a regular Mikrotik. It is enough to check for the presence of the sni header in the clienthello packet. If it is not there, we most likely have SSTP How to block SSTP practically using the "sni header" hint above? That is unfortunately not true. See packet from ...
by vecernik87
Sat Jun 03, 2023 2:24 am
Forum: General
Topic: Confused about srcnat and dstnat chain in NAT [SOLVED]
Replies: 7
Views: 2043

Re: Confused about srcnat and dstnat chain in NAT

Chain says where in the process it gets executed. Action says what happens. It is not exactly tied but it makes sense to do certain actions in a certain way, and not the other way. You could even say that those chains are named based on the most usual action which happens in that place. Now, underst...
by vecernik87
Tue May 30, 2023 11:09 pm
Forum: General
Topic: How to block Adguard LOCAL VPN
Replies: 18
Views: 1945

Re: How to block Adguard LOCAL VPN

Adguard essentially reinvented and improved SSTP. But now it is adguard proprietary protocol instead of Microsoft proprietary protocol. I use SSTP for the exact same reason - for most firewalls it looks like a big HTTPS download. Adguard went even further and makes multiple smaller connections. IMHO...
by vecernik87
Mon May 29, 2023 10:42 am
Forum: Beginner Basics
Topic: Best configuration for my setup. Vlan, bridge…?
Replies: 7
Views: 945

Re: Best configuration for my setup. Vlan, bridge…?

That is right - I am guessing. Thats why I wrote "IMHO". Do not worry, I have no intention to waste any time on that because either people can figure out themselves or they hire someone to do it for them. I am usually happy to help only if it is obvious mistake or something small. Not a wh...
by vecernik87
Mon May 29, 2023 5:35 am
Forum: Beginner Basics
Topic: Best configuration for my setup. Vlan, bridge…?
Replies: 7
Views: 945

Re: Best configuration for my setup. Vlan, bridge…?

IMHO, OP wants partial router-on-a-stick config. Easy to do with VLANs and a single bridge on each device. As of WHY? My only explanation is >1Gbit WAN. If the ISP went straight to RB5009, it won't have another 10Gbit port for downstream switch, so if any other switch connects, it will be limited to...
by vecernik87
Fri May 26, 2023 5:12 am
Forum: Announcements
Topic: v7.9.1 [stable] is released!
Replies: 59
Views: 17907

Re: v7.9.1 [stable] is released!

@Wyz4k : Thanks for heads up! I tested that first on a spare device and then on one production - both survived alright. What is the use case for your devices? My spare device works as a VLAN aware switch with one SSTP mgmt VPN. Other one is my home router so nothing strange either - sstp server, so...
by vecernik87
Tue May 23, 2023 2:32 am
Forum: Virtualization
Topic: CHR won't recognize second disk
Replies: 2
Views: 5851

Re: CHR won't recognize second disk

I believe this issue started with v7 and has not been addressed yet. There were plenty of reports of CHR failing to start after v7 upgrade. Unfortunately, for now the only bandaid I know of is using a single disk.
by vecernik87
Mon May 22, 2023 9:27 pm
Forum: General
Topic: Any info about this ? ZDI-23-710 CVE-2023-32154
Replies: 48
Views: 7747

Re: Any info about this ? ZDI-23-710 CVE-2023-32154

@Znevna: why not? If I wanted to hack mikrotik, I am not going to do that heavy lifting all by myself. Putting up a bounty (which I may not even pay in the end) and then pretending to be from the vendor sounds like an efficient strategy. @normis They sent a screenshot of an email 12/09/22 – ZDI repo...
by vecernik87
Mon May 22, 2023 1:09 pm
Forum: Announcements
Topic: EDITED Forum THEME / SKIN change
Replies: 92
Views: 11000

Re: Forum THEME / SKIN change

Man, you should do this change on first april. It took me a while to realise that I did not port back to 1999 :D
by vecernik87
Thu Apr 06, 2023 12:35 am
Forum: General
Topic: How Are you Mass On-Boarding with Random Default Passwords?
Replies: 7
Views: 770

Re: How Are you Mass On-Boarding with Random Default Passwords?

Netinstall will sort you. That's what people use for any mass deployments anyway because of need for custom defconf. No mass deployment can be done with stock defconf.
by vecernik87
Tue Mar 07, 2023 10:40 pm
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 6447

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

@sob In addition to that, It would be very unwise to ban people just because they broke a rule, which they didn't know about. Unlike usuall "don't use the N-word", this rule is not something expected by a common sense. Also good point mentioning it would need moderator (or more effort fro...
by vecernik87
Sat Mar 04, 2023 1:05 am
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 6447

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

"Did you put your name into the Goblet of Fire, Harry?" he asked calmly. "Did you eat the chocolate cake, pony?" he asked calmly. Pony answered with full mouth "No" A thick brown liquid started dripping from a corner of pony's mouth. "No I didn't!" pony start...
by vecernik87
Wed Feb 22, 2023 2:59 pm
Forum: General
Topic: Ax2 with 7.6 default password problem [SOLVED]
Replies: 15
Views: 3105

Re: Ax2 with 7.6 default password problem [SOLVED]

That's not Mikrotik's idea. Afaik it is EU legislation for all new devices to have unique default passwords.
by vecernik87
Wed Feb 01, 2023 12:11 am
Forum: General
Topic: Removing an account from this forum without any reason or notification. [SOLVED]
Replies: 14
Views: 1617

Re: Removing an account from this forum without any reason or notification. [SOLVED]

I am not affiliated with mikrotik so I can't explain why these particular cases happened. However, common thing on all forums is link farming through hacked accounts. e.g. You password leaks from some service and it is same as your mikrotik forum password. Spammers buy a database of leaked credentia...
by vecernik87
Thu Jan 05, 2023 12:24 am
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3055

Re: UDP attack from LAN network

But as pointed out by @vecernik87 , they are packets generated by RouterOS and sent, they don't arrive from outside the machine where they are seen (or at most they leave in response of something). mate, thats exact opposite of my post :D I originally also thought they are from the router, but I wa...
by vecernik87
Wed Jan 04, 2023 8:36 am
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3055

Re: UDP attack from LAN network

I was about to say that we should focus on the fact it is in "output" chain and not in "forward" but then I tested it in lab and noticed that forwarded traffic with src-address 0.0.0.0 actually goes through firewall in the output chain! What the heck?
by vecernik87
Wed Dec 14, 2022 7:40 am
Forum: Beginner Basics
Topic: replace source MAC
Replies: 7
Views: 604

Re: replace source MAC

Sounds almost as if the mikrotik is in the bridge mode otherwise, the ISP wouldn't require two separate MAC authorizations. @OP: you will need to provide more info, ideally including your router's config. Your situation is bit unusual which confuses other people who would like to help. if my guess i...
by vecernik87
Wed Nov 02, 2022 2:21 am
Forum: Virtualization
Topic: Boot failed after update from 6 to 7 chr on Digitalocean
Replies: 6
Views: 4225

Re: Boot failed after update from 6 to 7 chr on Digitalocean

I had similar issue long time ago - turns out v7 didn't like multiple disks (I used one for ROS and second for theDude database). If you have multiple disks in your VM, try to remove them and leave only the primary one.
by vecernik87
Tue Oct 25, 2022 3:04 am
Forum: RouterBOARD hardware
Topic: The new version of CAP AC --> CAP AX?
Replies: 7
Views: 6008

Re: The new version of CAP AC --> CAP AX?

There are other less obvious problems to the roaming side of things, aside of AP/client support, which further complicates the seam-less roaming. For example any network switch (or even a router with a bridge) between individual APs must quickly adjust their FDB table to deliver frames for destinati...
by vecernik87
Wed Sep 14, 2022 1:40 am
Forum: General
Topic: SSTP - Authentication by RADIUS
Replies: 3
Views: 1126

Re: SSTP - Authentication by RADIUS

Yes. It is possible. I use this with WS 2022 but I also had it working on SBS2011 (which is just bundled WS2008r2) You need to make sure that your PPP setup allows using radius (in ppp/secrets) your radius profile in mikrotik is allowed to be used for ppp service your server accepts radius requests ...
by vecernik87
Sat Sep 03, 2022 4:21 am
Forum: RouterBOARD hardware
Topic: mounting the device with magnets
Replies: 4
Views: 879

Re: mounting the device with magnets

Given the fact that mAP lite has mounting magnets built in, I highly doubt that it would have any serious effect.
by vecernik87
Fri Sep 02, 2022 11:18 am
Forum: Beginner Basics
Topic: a strong firewall rules for my router
Replies: 6
Views: 3823

Re: a strong firewall rules for my router

Strong firewall is simple firewall. Always make sure you have explicit drop-all-remaining for input and forward chain on the bottom. Otherwise any small mistake can create a hole. Your rules are absolute nonsense and anyone from WAN is allowed to reach your router and your internal network. Take it ...
by vecernik87
Fri Sep 02, 2022 8:28 am
Forum: RouterBOARD hardware
Topic: SFP Running, but does not receice pakets
Replies: 15
Views: 6874

Re: SFP Running, but does not receice pakets

I had a same experience but I don't think its an RX issue. I think its actually the TX of the other side not really transmitting anything. In my case I have CRS354-48P-4S+2Q+ with QSFP+ breakout cable (FS Q-8LCAO05) on one side and on the other side is CRS328-24P-4S+ with SFP+ module (FS SFP-10GSR-8...
by vecernik87
Fri Sep 02, 2022 8:20 am
Forum: RouterOS beta
Topic: what do I expect from the v7.6 beta
Replies: 7
Views: 2936

Re: v 7.6 (beta)

These roaming standards have no meaning until they are correctly implemented in capsman or similar future alternative.
by vecernik87
Thu Sep 01, 2022 6:05 pm
Forum: RouterBOARD hardware
Topic: Smaller Netpower with PoE out
Replies: 6
Views: 899

Re: Smaller Netpower with PoE out

maybe like an outdoor version of this... Yes, I guess it could be a CCS610 8p 2s in in an oudoor case... Do you guys remember when Routerboards were truly just boards? I remember installing one of them in a sealed box next to parabolic antenna on a roof, long time before I even knew what Mikrotik i...
by vecernik87
Thu Sep 01, 2022 2:04 pm
Forum: Announcements
Topic: v7.5 [stable] is released!
Replies: 219
Views: 68361

Re: v7.5 [stable] is released!

Updated to 7.5 stable and have issue with sfp+. Similar issue on RB4011 - SFP+ 10G Copper.. I just had similar (although not same) experience. CRS328-24P-4S+ upgraded from 7.4 to 7.5. After reboot, SFP+ (FS SFP-10GSR-85) said Link OK and showed both RX and TX traffic. However, on the other end ther...
by vecernik87
Wed Aug 31, 2022 6:05 am
Forum: General
Topic: anyone explain advantages of rest api over old api? [SOLVED]
Replies: 5
Views: 823

Re: anyone explain advantages of rest api over old api? [SOLVED]

The new REST API is easier to implement than the old one - if follows common RESTful approach instead of reinventing wheel with proprietary, binary based communication. If you already have implementation already done, you won't gain much if you decide to use the new one.
by vecernik87
Tue Aug 09, 2022 9:16 am
Forum: General
Topic: Blocking youtube
Replies: 4
Views: 10290

Re: Blocking youtube

That would work reliably maybe 10 years ago but for quite a while, google uses QUIC. Nowadays, youtube runs HTTP/3 built on top of QUIC, which means the TLS is inside of QUIC itself and TLS matcher will not work. This rule will work only if the device never loaded youtube in the past. If your device...
by vecernik87
Fri Aug 05, 2022 8:22 am
Forum: RouterBOARD hardware
Topic: MIKROTIK MiFi
Replies: 11
Views: 2195

Re: MIKROTIK MiFi

You essentially described wAP R ac which has 2 ethernet ports, wifi and pcie slot (for LTE card of your choice). However rest of your requirements is oddly specific and unlikely to happen. e.g. if you really need the USB, just look at hAP ac³ LTE6 kit . You can perhaps swap the LTE card for somethin...
by vecernik87
Fri Aug 05, 2022 7:50 am
Forum: RouterBOARD hardware
Topic: hAP ax² dual band Wi-Fi 6 (802.11ax)
Replies: 287
Views: 66205

Re: hAP ax² dual band Wi-Fi 6 (802.11ax)

Interesting how the product code changed. It is no longer RBD52 and neither RBC52. It seems that new hAP is no longer routerboard and remains only boring C52
by vecernik87
Fri Jul 22, 2022 3:47 pm
Forum: RouterBOARD hardware
Topic: Only a Mikrotik will still work after this..
Replies: 3
Views: 930

Re: Only a Mikrotik will still work after this..

Using mikrotik as a honeypot is not recommended.
by vecernik87
Fri Jul 22, 2022 1:17 pm
Forum: Announcements
Topic: v7.4 [stable] is released!
Replies: 226
Views: 54604

Re: v7.4 [stable] is released!

Because significant jump in linux kernel version. That means old drivers and functions are useless and have to be completely rewritten.
by vecernik87
Fri Jul 22, 2022 11:56 am
Forum: General
Topic: Question about a firewall rule
Replies: 16
Views: 1136

Re: Question about a firewall rule

If you have already ping for test from something, the connection tracking consider subsequent ping as estabilished, Yes, That is my assumption that OP didn't notice existing connection and rule got matched thanks to that. Otherwise it would be serious bug. I reacted only because previous answers fr...
by vecernik87
Fri Jul 22, 2022 11:48 am
Forum: General
Topic: Question about a firewall rule
Replies: 16
Views: 1136

Re: Question about a firewall rule

OP is right. Incoming ICMP packets from not related and not established connection should not be matched by that rule. My only assumption is that the connection is established (e.g. previously accepted pings) or related (e.g. some other connection between IP addresses). It definitely should not acce...
by vecernik87
Thu Jul 21, 2022 4:10 am
Forum: Announcements
Topic: v7.4 [stable] is released!
Replies: 226
Views: 54604

Re: v7.4 [stable] is released!

Oh no, don't start that again. Read starting from here: https://forum.mikrotik.com/viewtopic.php?t=186583#p939187 And I'll ask here too, since nobody answered in the other topic, did you ever see CPU usage on the 2nd core? And did you see some measurable performance penalty after the 2nd core got d...
by vecernik87
Wed Jul 20, 2022 4:21 pm
Forum: Announcements
Topic: v7.4 [stable] is released!
Replies: 226
Views: 54604

Re: v7.4 [stable] is released!

*) switch - disabled second CPU core for CRS328-24P-4S+ device in order to improve SFP+ link stability; This is welcome as I seem to suffer from these a bit (still didn't pinpoint exact reason and patiently testing while checking version, firmware, uptime etc..) However, this made me look on specs ...
by vecernik87
Wed Jul 20, 2022 2:34 pm
Forum: General
Topic: Long term
Replies: 9
Views: 746

Re: Long term

Plz no. I don't want to end up electrocuted after "accident" while tying my shoelaces.
by vecernik87
Sun Jun 26, 2022 5:48 pm
Forum: General
Topic: Today 2022-06-26: winbox attack from 45.71.115.59
Replies: 5
Views: 686

Re: Today 2022-06-26: winbox attack from 45.71.115.59

IMHO, that means some script kid logged in. Nothing else than a step backwards in terms of attack quality. Everyone knows for ages, that attacking too many targets from a single IP is a stupid thing to do.
by vecernik87
Tue May 10, 2022 1:46 am
Forum: General
Topic: Mikrotik test results: How to count filter rules?
Replies: 3
Views: 580

Re: Mikrotik test results: How to count filter rules?

Good question. It was mentioned in the past that each rule affects the performance differently, depending on a matcher (selected conditions) of that rule. Most extreme example would be L7 matcher. Obviously 25 rules with L7 matcher will be much slower than 25 rules of src-address matching.
by vecernik87
Thu Mar 24, 2022 11:11 pm
Forum: Beginner Basics
Topic: Rout to different IP based on URL
Replies: 3
Views: 1119

Re: Rout to different IP based on URL

You can't. This kind of redirection needs a reverse proxy. Simple firewall can't do that because L3 (TCP) connection gets established before L7 (HTTP) GET request can be sent. The url is mentioned only at the request (not before) and that is too late to redirect the connection. Proxy works different...
by vecernik87
Fri Mar 11, 2022 7:03 am
Forum: Beginner Basics
Topic: Connection between SFP / SFP+
Replies: 12
Views: 6818

Re: Connection between SFP / SFP+

That is actually not exactly true. I was curious about it so I made a quick test: CRS328 (sfp-sfplus4 cage) ---> SFP1G-SX-85 ---> om4 ---> SFP-10GSR-85 ---> CRS354 (sfp-sfpplus4 cage) It didn't work straight away though - because SFP does not have autonegotiation, I had to disable it in in the CRS35...
by vecernik87
Fri Feb 11, 2022 12:40 pm
Forum: Virtualization
Topic: Chr on Hyper-V and 802.1ad
Replies: 2
Views: 6050

Re: Chr on Hyper-V and 802.1ad

That is true. in HyperV, you have to allow selected VLANs on the v-switch. However they do not give you ability to allow double-tagged (service tags) VLANS. It has something to do with Microsofts silly idea that hyperV should never touch service VLAN and that should be only for "those above you...
by vecernik87
Fri Feb 11, 2022 12:12 pm
Forum: Announcements
Topic: WinBox v3.33 and v3.34 released!
Replies: 102
Views: 25062

Re: WinBox v3.33 and v3.34 released!

excellent point @prislonsky! And not even multiple monitors are needed. I am on a desktop which has only one screen (and afaik never had more than one) and logging in while "open in new window" is enabled makes winbox crash/disappear.
by vecernik87
Fri Feb 11, 2022 11:24 am
Forum: Announcements
Topic: WinBox v3.33 and v3.34 released!
Replies: 102
Views: 25062

Re: WinBox v3.33 released!

Dude has been discontinued (again) That doesn't mean it became unusable Actually yes, it does. For several years I am waiting for fix of the bug which disconnects my dude client everytime I hover mouse on top of monitored device as well as most of the time (but not always) when I open details. I es...
by vecernik87
Fri Feb 04, 2022 3:27 am
Forum: General
Topic: If you have a Mikrotik home lab, I have a question for you.
Replies: 17
Views: 3327

Re: If you have a Mikrotik home lab, I have a question for you.

seriously? All of you got hooked on a spam topic? :lol: OP just promotes totally irrelevant links. Not sure if human or bot, but definitely a spammer
by vecernik87
Thu Feb 03, 2022 8:24 am
Forum: RouterOS beta
Topic: arp-ping not working on RouterOS v7 [SOLVED]
Replies: 26
Views: 11472

Re: arp-ping not working on RouterOS v7 [SOLVED]

I just encountered the same with 7.1.1 on hAP ac2: viewtopic.php?p=910384#p910384
by vecernik87
Thu Feb 03, 2022 8:21 am
Forum: Announcements
Topic: v7.1.1 is released!
Replies: 443
Views: 223439

Re: v7.1.1 is released!

Somehow, ARP pings don't seem to work... Tested on 7.1.1, hAP ac2, tested both VLAN as well as normal bridge interface. Another router with v6 (and almost same config) works without issue. winbox_SR6SkIwePJ.png Can anyone confirm? (just to be clear, interface is correct. If the interface was wrong, ...
by vecernik87
Mon Jan 10, 2022 10:36 am
Forum: The Dude
Topic: Dude for 7.1?
Replies: 42
Views: 42559

Re: Dude for 7.1?

I use theDude myself (and have separate machine for docker) but my or your opinion does not matter. Mikrotik made big news with the docker support and thats serious advantage over competition. All this publicity now needs to be used correctly, or it will turn against mikrotik.
by vecernik87
Mon Jan 10, 2022 10:26 am
Forum: The Dude
Topic: Dude for 7.1?
Replies: 42
Views: 42559

Re: Dude for 7.1?

Mikrotik never publishes ETA because they got burned enough times.
Let them fix majority of bugs in v7 first, finalize docker etc.. and then they may look at TheDude. It was sidelined for ages now with barely any bugfixes and absolutely no functionality development.
Don't expect miracles.
by vecernik87
Wed Jan 05, 2022 12:10 pm
Forum: Wireless Networking
Topic: Missing Radiation pattern from specifications
Replies: 2
Views: 1925

Re: Missing Radiation pattern from specifications

All indoor models have around 2-3 dBi which isn't too far from ideal sphere. Due to that it does not matter what device you put where, because walls will attenuate the signal anyway and within the room/hallway it will reflect no matter how you place the device.
by vecernik87
Wed Jan 05, 2022 11:10 am
Forum: Scripting
Topic: Password for ssh [SOLVED]
Replies: 6
Views: 6582

Re: Password for ssh [SOLVED]

@jotne: I think OP talks about no password parameter in the ssh-exec command. @muhanadali: It is not possible to hardcode the password into your script and I would strongly advice against leaving your router without password. If you want to use ssh-exec with some script (i.e. you can't interactivel...
by vecernik87
Wed Dec 29, 2021 10:36 am
Forum: General
Topic: FEATURE REQUEST - Portable Winbox Databases
Replies: 4
Views: 1871

Re: FEATURE REQUEST - Portable Winbox Databases

You can even keep the folder on some dropbox and load it from multiple PCs
I can confirm this works perfectly. I synchronize my winbox and other stuff using Syncthing (p2p sync app) and it just makes life so much easier.
by vecernik87
Mon Dec 20, 2021 9:53 pm
Forum: Beginner Basics
Topic: How can I access my MikroTIk router remotely via DynDNS?
Replies: 20
Views: 7004

Re: How can I access my MikroTIk router remotely via DynDNS?

@holvoetn: Ideally it is plainly REMOVED from ROS. But I can guarantee you all hell will break loose when that happens ... you don't have to believe me. I agree it is not secure. However, sometime you don't have a choice and it is better than nothing. Did we remove telnet? No. Did we remove Port 80...
by vecernik87
Mon Dec 13, 2021 1:18 am
Forum: RouterBOARD hardware
Topic: My heX S can't power up Unifi 6 Lite [SOLVED]
Replies: 12
Views: 7727

Re: My heX S can't power up Unifi 6 Lite [SOLVED]

It works only when Ether1 is set to force on. If set auto, it shows "wait to load" all the time. I don't understand why. maybe that's what passive means. Mikrotik's "passive" PoE in some devices is not completely passive - your hEX tries to detect if there is certain resistance ...
by vecernik87
Sun Dec 12, 2021 1:27 pm
Forum: RouterOS beta
Topic: ZeroTier added to RouterOS v7.1rc2
Replies: 335
Views: 308311

Re: ZeroTier added to RouterOS v7.1rc2

Anyone knows if ZeroTier is available already fo the 750gr3? As far as it seems its ARM devices only. 750GR3 is mmips. Can't wait for it to release for 750GR3 and CHR. I have hundreds of both in use. That will be fun to see.. CHR, very likely at some stage. But MMIPS? uhhh... maybe never. Point her...
by vecernik87
Sun Dec 12, 2021 1:35 am
Forum: RouterBOARD hardware
Topic: My heX S can't power up Unifi 6 Lite [SOLVED]
Replies: 12
Views: 7727

Re: My heX S can't power up Unifi 6 Lite [SOLVED]

Can you please share a quote from the brochure? I went in details through it, without success to find anything about 802.3af/at PoE-out. AFAIK, hEX S will stay passive no matter what and has no ability to netogiate power levels as af/at devices do. I think you may be confused with hEX POE (RB960PGS)...
by vecernik87
Sat Dec 11, 2021 1:45 am
Forum: RouterBOARD hardware
Topic: My heX S can't power up Unifi 6 Lite [SOLVED]
Replies: 12
Views: 7727

Re: My heX S can't power up Unifi 6 Lite [SOLVED]

@mixig: With PoE adapter you cant do anything If OP connects the PoE adapter to the hEX itself (Eth1) then power to the AP can be controlled remotely same as if the hEX was powered by DC adapter. I understand purchase of PoE adapter as more universal - if the hEX is ever replaced with something els...
by vecernik87
Fri Dec 10, 2021 7:53 am
Forum: RouterBOARD hardware
Topic: My heX S can't power up Unifi 6 Lite [SOLVED]
Replies: 12
Views: 7727

Re: My heX S can't power up Unifi 6 Lite [SOLVED]

The page you linked actually says it, but in different words: The port #5 can power other passive PoE capable devices with the same voltage as applied to the unit I did not use the same terminology because I didn't even bother to open specs page and just fished it out of my memory. You have three op...
by vecernik87
Fri Dec 10, 2021 5:39 am
Forum: RouterBOARD hardware
Topic: My heX S can't power up Unifi 6 Lite [SOLVED]
Replies: 12
Views: 7727

Re: My heX S can't power up Unifi 6 Lite [SOLVED]

hEX does not have voltage regulator. It has a simple passive pass-through so the output voltage will be same as input voltage. If your hEX is powered by standard 24V adapter, it will not be able to power U6L which requires 44-57V (either passive or 802.3 af/at) hEX can output 48V or even 57V (theref...
by vecernik87
Thu Dec 09, 2021 10:02 am
Forum: General
Topic: host sees public IP address of ISP
Replies: 19
Views: 4099

Re: host sees public IP address of ISP

Added another Mikrotik router (hEX lite) to the network. It shows up as a neighbor, but can't connect to it from Winbox using MAC address. Opened port 5678 for TCP as well as UDP. I am not sure if you followed what I had in mind. (maybe yes, but it isn't clear whether actions are related to hAP or ...
by vecernik87
Wed Dec 08, 2021 11:18 pm
Forum: Beginner Basics
Topic: Send specific packets to another network over IPSEC VPN tunnel
Replies: 4
Views: 1582

Re: Send specific packets to another network over IPSEC VPN tunnel

Check out zero tier, this kind of work maybe just got a lot easier......... We dont want to overtax the pretty pony's brain! It won't be much easier. Setting up the VPN maybe (but OP already got it working). In the end, steps will be similar because you have to shove the traffic from .1/24 to .135/...
by vecernik87
Wed Dec 08, 2021 2:38 pm
Forum: General
Topic: Finding MAC address of ethernet partner
Replies: 2
Views: 763

Re: Finding MAC address of ethernet partner

My favourite solution to most problems: Packet sniffer! Make sure it is stopped, select correct interface and set the "direction" to RX only. Then you can start it. That way, it will record only packets received on that interface - essentially, only packets from your ONU If the interface i...
by vecernik87
Wed Dec 08, 2021 2:30 pm
Forum: Beginner Basics
Topic: Send specific packets to another network over IPSEC VPN tunnel
Replies: 4
Views: 1582

Re: Send specific packets to another network over IPSEC VPN tunnel

There are several steps. MT1 has to be aware that 192.168.135.0/24 is available behind MT2. This can be done either with routes or IPSec policies (depending what type of tunnel you have) if step 1 was done using policies, then MT2 has to have the same policy (otherwise it will discard incoming encry...
by vecernik87
Wed Dec 08, 2021 6:37 am
Forum: Beginner Basics
Topic: Dot1x Reject VLAN ID
Replies: 2
Views: 1620

Re: Dot1x Reject VLAN ID

I had a similar issue and took me a while to realise that my RADIUS server responds with "reject" however RADIUS client in RouterOS timed out already due to low default timeout value. The reject-vlan-id is not applied if RADIUS fails due to timeout. It applies only if there is reject messa...
by vecernik87
Tue Dec 07, 2021 6:33 am
Forum: General
Topic: host sees public IP address of ISP
Replies: 19
Views: 4099

Re: host sees public IP address of ISP

All right :) That sounds like a promising lead - if you see it in neighbours of winbox, you will see it in neighbours of routerOS (same discovery protocol) and hopefully able to connect. Once you are in, you can run /system reset-configuration and confirm with "Y" Just a note on your rese...
by vecernik87
Tue Dec 07, 2021 3:23 am
Forum: General
Topic: host sees public IP address of ISP
Replies: 19
Views: 4099

Re: host sees public IP address of ISP

Alright, I went to my box of goodies, fished out hAP ac lite and connected it only to my computer (so no DHCP on the network) I got into CAPS mode using following procedure: Disconnect power->press button->connect power->wait until USR starts blinking->wait until USR stays on->release button This wa...
by vecernik87
Tue Dec 07, 2021 12:02 am
Forum: General
Topic: host sees public IP address of ISP
Replies: 19
Views: 4099

Re: host sees public IP address of ISP

It can be done accidentally. (see the link I posted)

All you need is a inexperienced person who holds the reset button for additional 5 seconds after the LED starts blinking (which isn't much). Since this behavior is unique to Mikrotik, not everyone will release the reset button on time.
by vecernik87
Mon Dec 06, 2021 10:50 pm
Forum: General
Topic: IP Cloud pulling wrong Public Address [SOLVED]
Replies: 6
Views: 1686

Re: IP Cloud pulling wrong Public Address [SOLVED]

Address space starting from 100.x.y.z is called CG-Nat and it is not a Public IP address... That is not exactly correct. CGNAT is only it is only 100.64.y.z - 100.127.y.z (or precisely 100.64/10 in the CIDR notation) e.g. 100.128.1.1 is perfectly valid public IP which belongs to T-mobile in USA
by vecernik87
Mon Dec 06, 2021 10:43 pm
Forum: General
Topic: host sees public IP address of ISP
Replies: 19
Views: 4099

Re: host sees public IP address of ISP

This sounds like it is in the CAPS mode. CAPS mode will configure your device into a wifi AP+switch. No routing etc... and it expects to receive configuration from cAPsMAN (A server on your network) Thats probably reason why it passes the WAN IP to your clients . I saw this few times in the past whe...
by vecernik87
Mon Dec 06, 2021 10:28 pm
Forum: General
Topic: IP Cloud pulling wrong Public Address [SOLVED]
Replies: 6
Views: 1686

Re: IP Cloud pulling wrong Public Address [SOLVED]

tl'dr: It works as expected because your router is behind CGNAT - https://datatracker.ietf.org/doc/html/rfc6598 in the /ip route section, you don't see a public IP. You see WAN IP of your router, which may or may not be routable from the public internet. Many ISP nowadays put clients behind a NAT, w...
by vecernik87
Mon Nov 29, 2021 2:32 pm
Forum: General
Topic: [Let'Encrypt] Allow matched regexp to connect
Replies: 7
Views: 2221

Re: [Let'Encrypt] Allow matched regexp to connect

That is good link actually. It again says that HTTP validation can come from any IP and there is no guaranteed list. However, one of replies suggests updating firewall with --pre-hook and --post-hook, which should easily work with mikrotik.

Or use DNS challenge if possible. (I went this way)
by vecernik87
Mon Nov 29, 2021 11:04 am
Forum: General
Topic: [Let'Encrypt] Allow matched regexp to connect
Replies: 7
Views: 2221

Re: [Let'Encrypt] Allow matched regexp to connect

Not sure if possible. Trick is, that in order to get the url, You need to firstly allow whole TCP handshake and only then you may receive HTTP GET request. The URL is nowhere else before this request. That means you have to let ALL connections on port 80 to be established, until the first HTTP reque...
by vecernik87
Wed Nov 17, 2021 9:05 am
Forum: General
Topic: DNS forwarder to AdGuard [SOLVED]
Replies: 4
Views: 3534

Re: DNS forwarder to AdGuard [SOLVED]

Very likely your router gets dynamic DNS from your ISP.

Check your
/ip dns print
status. If you see dynamic servers - that is the reason.

If you found your dynamic DNS servers, you can disable this by setting
use-peer-dns=no
in your
/ip dhcp-client
setting.
by vecernik87
Tue Nov 16, 2021 8:31 am
Forum: General
Topic: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN
Replies: 55
Views: 18821

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Same as with zerotier, I propose to NOT implement 3rd party services. Implement functions, protocols etc. but not services. Service implementation will always require more attention from developers and will take their time away from fixing/developing basic stuff. We experienced it with paypal suppor...
by vecernik87
Tue Nov 16, 2021 3:54 am
Forum: RouterBOARD hardware
Topic: Mikrotik Groove 52HPn die after update long term firmware
Replies: 4
Views: 4029

Re: Mikrotik Groove 52HPn die after update long term firmware

Majority of failed netinstalls is due to inexperience and wrong setup. Please, try it first with a known working router. If router works fine, netinstall should work as well - that is your test benchmark. If it does not work, adjust your setup. Once you make it working with a good router, simply swi...
by vecernik87
Mon Nov 15, 2021 10:47 am
Forum: RouterBOARD hardware
Topic: Mikrotik console server?
Replies: 2
Views: 3407

Re: Mikrotik console server?

This is actually not too common requirement so the market is small, therefore amount of sold units small as well. That means the price per unit will be high no matter who makes it. However, I believe there is a cheap solution! Many routerboards come with USB. I know for sure that it supports at leas...
by vecernik87
Wed Oct 27, 2021 7:56 am
Forum: RouterOS beta
Topic: v7.1rc5 [development] is released!
Replies: 167
Views: 48139

Re: v7.1rc5 [development] is released!

I could not find container package from the release in mipsbe , x86/chr version
That is expected. See the first line of the changelog:
!) container - package is getting updated and will be made available in future, if interested in container feature please use 7.1rc4;
by vecernik87
Wed Oct 27, 2021 6:46 am
Forum: RouterOS beta
Topic: v7.1rc5 [development] is released!
Replies: 167
Views: 48139

Re: v7.1rc5 [development] is released!

*) bridge - added HW offload support for vlan-filtering on MT7621 switch chip (hEX, hEX S, RBM33G, RBM11G, LtAP); Does this mean that the information from wiki and below is incorrect? The info is indeed incorrect. You can confirm it easily by looking at specs However, it is understandable - you are...
by vecernik87
Sun Oct 17, 2021 1:56 pm
Forum: The Dude
Topic: Is dude still maintained?
Replies: 5
Views: 7266

Re: Is dude still maintained?

tl'dr: Not really maintained.

New features weren't released for years. Mikrotik did some update in regards to common crashes recently, but AFAIK, it still keeps crashing under certain circumstances. If there are bugs like that, I think it is safe to say it is not maintained
by vecernik87
Tue Oct 12, 2021 2:24 pm
Forum: RouterBOARD hardware
Topic: Tilera EOL Schedule
Replies: 3
Views: 2388

Re: Tilera EOL Schedule

Mikrotik does not specify EOL with their products. This would be first time AFAIK. I admit the tilera architecture isn't likely to receive new gear, but even with that said, it will likely take ages before products are discontinued and after that many years before its support (software updates) is d...
by vecernik87
Tue Oct 12, 2021 12:55 pm
Forum: General
Topic: Bug in 6.49 rc2 ?
Replies: 4
Views: 851

Re: Bug in 6.49 rc2 ?

I don't see any issue with that: Firstly, you can test it yourself that other versions do that as well. Therefore it can't be version related bug. Secondly, it is link-local address. in IPv6 world, it serves similar purpose as MAC addresses in IPv4 world. As long as they are on different networks, t...
by vecernik87
Sat Sep 25, 2021 12:03 pm
Forum: General
Topic: Compress EoiP Tunnel
Replies: 4
Views: 1063

Re: Compress EoiP Tunnel

unfortunately no.
by vecernik87
Mon Sep 13, 2021 2:47 pm
Forum: General
Topic: Do I need to contact support@mikrotik.com directly to get answers about the forum itself? [SOLVED]
Replies: 17
Views: 3194

Re: Do I need to contact support@mikrotik.com directly to get answers about the forum itself? [SOLVED]

Last time I became moderator (some completely different project), I programmed my way in :D Well, not exactly - I was just so active that they asked me to either stop or do it officially.
In mikrotik world, maybe you can release your own v7.2 to instantly gain employee rank?
by vecernik87
Tue Sep 07, 2021 6:05 am
Forum: General
Topic: 6-7 Sep 2021 Cloud Problem
Replies: 22
Views: 963

Re: IP Cloud

The domain mynetname.net expire on 2022 -04-29T08:21:38Z Simply mikrotik forgot to pay the $35 annual fee to publicdomainregistry.com If it expires in 2022, it clearly can't be expired now (i.e. nobody forgot to pay it). btw: Just last week, three of my .com domains were disabled due to the fact I ...
by vecernik87
Wed Sep 01, 2021 12:42 am
Forum: RouterOS beta
Topic: ZeroTier added to RouterOS v7.1rc2
Replies: 335
Views: 308311

Re: ZeroTier added to RouterOS v7rc2

NO THANKS! There's always one :roll: Just because you don't want to use it doesn't mean that others don't want to. Count it as two. I understand that some other people want to use it, but we need to look at it pragmatically - adding support for 3rd party services/code means, developers must spend e...
by vecernik87
Sat Aug 28, 2021 3:00 am
Forum: Beginner Basics
Topic: Best budget Mikrotik router for 30-50 sub routers
Replies: 4
Views: 1585

Re: Best budget Mikrotik router for 30-50 sub routers

Can you specify features you need? i.e. what role does it have? e.g. Is there going to be NAT? Queues? Firewall? How many rules? BGP? how many routes? are clients pppoe? - If it is just about pushing 600Mbps of packets, you could easily go with cheapo stuff like hAP ac2. (just a joke. True, but joke...
by vecernik87
Tue Aug 24, 2021 10:35 am
Forum: RouterOS beta
Topic: Netinstall error [SOLVED]
Replies: 11
Views: 2718

Re: Netinstall error [SOLVED]

... I tried to flash ROS 7.0.3 with 7.0.3 netinstall. 7.0.3 is the current official stable ROS release for Chateau. If one cannot flash this version that runs on thousands of other Chateaus - what the heck. I understand that. However I still suspect, it may apply to all chateau devices. What I mean...
by vecernik87
Tue Aug 24, 2021 6:44 am
Forum: RouterOS beta
Topic: Netinstall error [SOLVED]
Replies: 11
Views: 2718

Re: Netinstall error [SOLVED]

Assert function in programming is used to compare variable with expected value and fail if they don't correspond. Failure usually crashes the program. In other words, It is intentionally written condition and its purpose is to help developers notice a problem (which could otherwise end up with much...
by vecernik87
Sun Aug 22, 2021 3:29 am
Forum: Beginner Basics
Topic: Problem with default firewall rules
Replies: 7
Views: 1299

Re: Problem with default firewall rules

I agree that
/tool mac-server set allowed-interface-list=LAN
is not ideal if your LAN is not trusted, but I can't count how many times a MAC server (and ROMON) saved me from locked device (e.g. misconfigured ipsec policy). It is good to have a backup way of accessing your device.
by vecernik87
Sat Aug 21, 2021 12:00 pm
Forum: Virtualization
Topic: is it possible to change the system id from CHR license?
Replies: 2
Views: 5398

Re: is it possible to change the system id from CHR license?

It should be possible and I tested that in the past with this approach:
bIJxc1l.png
by vecernik87
Fri Jul 30, 2021 1:42 am
Forum: RouterBOARD hardware
Topic: Going above 1Gbps - should I replace my router?
Replies: 7
Views: 3267

Re: Going above 1Gbps - should I replace my router?

... And if you don't like the router-on-a-stick solution suggested above.... the ISP's modem is only with an RJ45 2.5GBps port Sounds you are perfect candidate for newly released https://mikrotik.com/product/rb5009ug_s_in 1* 10Gbit SFP+ 1* 2.5Gbit RJ45 7* 1Gbit RJ45 And instead of crappy Realtek, wh...
by vecernik87
Wed Jul 28, 2021 12:20 pm
Forum: General
Topic: can a CRS be used as a basic router to pass an ip range using BGP?
Replies: 4
Views: 845

Re: can a CRS be used as a basic router to pass an ip range using BGP?

It has the feature, but not the power. (e.g. good for small management/monitoring traffic etc) If you want to pass any reasonable traffic, you will need either L3 hw offload or full blown router.
by vecernik87
Wed Jul 14, 2021 10:36 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 1368

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

I think so. e.g. CRS309 is the cheapest model with full support (e.g. I don't consider CRS305 due to limited support - no NAT). The price tag of $269 is well within budget of anyone, who is interested in 10G routing. (Its not like other equipment will be cheaper)
by vecernik87
Wed Jul 14, 2021 8:55 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 1368

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

... which is perfectly fine since who cares what device does the job as long as it is done correctly, right?
by vecernik87
Wed Jul 14, 2021 8:38 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 1368

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

Technically, RB4011 very close to routing 10Gbit, but I think it will take a while for next generation of devices. RB4011 is already miles ahead of competition in the given price range so there is really no incentive for mikrotik to improve this pro-sumer range. If you drop the requirement to do it ...
by vecernik87
Wed Jul 14, 2021 7:15 am
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 4513

Re: Firewall drop all !LAN is not the same as drop all WAN

I think neither option (!LAN / WAN) should be used. We are humans 1 . Humans do mistakes 2 . Different approach may require more rules, but it may prevent mistakes. This is related to my only complain about default firewall, which uses "drop all !LAN". It works fine and is secure enough, b...
by vecernik87
Mon Jul 05, 2021 5:51 am
Forum: RouterBOARD hardware
Topic: Internal power supplies instead of wall warts
Replies: 9
Views: 3060

Re: Internal power supplies instead of wall warts

"wall warts" may fail, but anyone can replace them and the failure is easy to diagnose. When an internal power supply fails, it often means people will throw the whole device. Replacement PSU is often non-existent and even if it existed, not everyone will be able to open the device and rep...
by vecernik87
Fri Jul 02, 2021 4:46 am
Forum: RouterBOARD hardware
Topic: NetInstall Instructions
Replies: 17
Views: 21655

Re: NetInstall Instructions

One important note, which worked for me: disable all other interfaces, except your Ethernet which you use for netinstall. I had several unsuccesful attempts to netinstall. Originally, I turned off my wifi but didn't disable the interface. I also didn't disable bluetooth PAN as well as HyperV switch....
by vecernik87
Fri Jun 25, 2021 7:16 am
Forum: General
Topic: Torch vs. Packet Sniffer [SOLVED]
Replies: 8
Views: 3244

Re: Torch vs. Packet Sniffer [SOLVED]

Personally, I prefer to use mangle action "sniff tzsp" because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting ... (look at packet flow ). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send t...
by vecernik87
Sat Jun 19, 2021 1:49 am
Forum: General
Topic: My ISP ( WiLogic ) uses MikroTik Routers and without a doubt..
Replies: 25
Views: 3027

Re: My ISP ( WiLogic ) uses MikroTik Routers and without a doubt..

Nah, that will be custom netinstall script, which is absolutely perfect for this situation. Once netinstalled, you can't get rid of it unless you do another (truly factory) netinstall.
by vecernik87
Sat Jun 19, 2021 1:46 am
Forum: General
Topic: mikrotik redirect based on domain to internal ip [SOLVED]
Replies: 6
Views: 6777

Re: mikrotik redirect based on domain to internal ip [SOLVED]

I thought as it's not https and is simple port 80 without SSL then mikrotik can handle. I see. Yes, it can handle identifying it. (actually, some https connections can be also identified using TLS host (SNI) ). However, even though the connection is identified, not every action can be performed: - ...
by vecernik87
Fri Jun 18, 2021 7:25 pm
Forum: General
Topic: mikrotik redirect based on domain to internal ip [SOLVED]
Replies: 6
Views: 6777

Re: mikrotik redirect based on domain to internal ip [SOLVED]

You need reverse proxy for this. Simple firewall redirection can't work because the domain is not mentioned in the first packet of the HTTP connection. The client first establishes a TCP connection to the server and only after that sends the HTTP request which contains URL. But that is too late to r...
by vecernik87
Fri Jun 11, 2021 1:26 am
Forum: General
Topic: /ip firewall filter drop not dropping IP
Replies: 19
Views: 2412

Re: /ip firewall filter drop not dropping IP

@anav: as long as you had at least one dose of the vaccine All hail Ausgov... I don't expect to be eligible for another several months @rextended: My point was to prove there is nothing to be afraid of :D But I can't say I don't appreciate your insight. Most spotted issues are remains of testing (w...
by vecernik87
Thu Jun 10, 2021 2:31 pm
Forum: General
Topic: /ip firewall filter drop not dropping IP
Replies: 19
Views: 2412

Re: /ip firewall filter drop not dropping IP

@anav + @rextended: Not that I would approve your slightly toxic replies, but technically you are right.. To prove my point to everyone, attached is my main router's config. Export + few CTRL+H = it is safe to publish. asdf.rsc @vmajor: really, this is standard practice and nothing dangerous. Its j...
by vecernik87
Mon May 24, 2021 9:57 am
Forum: RouterBOARD hardware
Topic: Add +1 here if you liked "white brick" mikrotik design
Replies: 10
Views: 2206

Re: Add +1 here if you liked "white brick" mikrotik design

+1

Anyway, our opinion here does not matter. Mikrotik makes decisions mostly on requests from distributors who mean significant marketing opportunity.
by vecernik87
Thu May 20, 2021 6:23 am
Forum: RouterOS beta
Topic: v7.1beta6 [development] is released!
Replies: 377
Views: 241140

Re: v7.1beta6 [development] is released!

Is there is a way to use this new Lets Encrypt support without having to open www (and, by extension, webfig) to the world? The Lets Encrypt support is a great idea and I am glad it is there, it is really handy for VPNs etc, but it seems like I am having to open port 80 and webfig to the planet if ...
by vecernik87
Wed May 19, 2021 9:36 am
Forum: General
Topic: What is "unclassified" cpu usage?
Replies: 6
Views: 9956

Re: What is "unclassified" cpu usage?

Technically, 5% on each core will result in 5% total as well. Similarly as having 20% on 9 cores out of 36 core processor will result in the same 5% total. If the unclassified appears on 1-2 cores out of all 36, then it isn't realy bothersome.
by vecernik87
Wed May 19, 2021 3:44 am
Forum: General
Topic: Is there a fiber-optic Mikrotik modem?
Replies: 4
Views: 1615

Re: Is there a fiber-optic Mikrotik modem?

No matter what type of fiber optics you get, there is almost certainly a compatible SFP module, which you simply stick into any SFP-enabled routerboard (e.g. hEX s / hAP ac / RB4011 ...) and once configured, it should work without issue. There is no magic behind "modem-like" tasks. That wo...
by vecernik87
Wed May 19, 2021 1:38 am
Forum: Announcements
Topic: IP Cloud
Replies: 79
Views: 159542

Re: IP Cloud

@anav 1) No idea what the "forced" means. If you are talking about force-update command, well, that does what it says - it is an command (not a parameter), which forces the update to happen straight away. Meanwhile the "60 second" probably refers to ddns-update-interval which is...
by vecernik87
Wed Apr 14, 2021 8:41 am
Forum: General
Topic: Cloutik feedback ?
Replies: 20
Views: 5648

Re: Cloutik feedback ?

Thats exactly my point. In the past, unifi cloud was optional (so it can be considered same as 3rd party). Then they released UDM and guess what? It is compulsory. You can't set up the device without cloud. (therefore even serious networking people had no choice...) Now they got hacked and literary ...
by vecernik87
Wed Apr 14, 2021 4:21 am
Forum: General
Topic: Cloutik feedback ?
Replies: 20
Views: 5648

Re: Cloutik feedback ?

No serious network techs will ever use third party cloud service to manage their own devices. Thus, no discussion needed.

Its a nice toy but thats about it. For anyone concious about security, it is another unnecessary attack vector.
by vecernik87
Fri Apr 02, 2021 2:04 pm
Forum: Beginner Basics
Topic: EoIP problem, MAC addresses
Replies: 2
Views: 875

Re: EoIP problem, MAC addresses

You didn't post much info so the best guess I have is, that you enabled arp proxy on that bridge from the second router.

If you disable it, your bridge should stop responding with arp answers and your double entries should disappear.
by vecernik87
Fri Mar 26, 2021 9:43 pm
Forum: General
Topic: WARNING _ DO NOT USE UPS Feature on MT
Replies: 5
Views: 1337

Re: WARNING _ DO NOT USE UPS Feature on MT

I have cyberpower UPS connected to my home RBD52G and it is stable. In the office, I had some random reboots which were caused by the UPS communication in the past (interestingly same RB and UPS) . I guess it depends on more things, possibly even unrelated config which will affect the behavior.
by vecernik87
Wed Mar 17, 2021 8:19 am
Forum: General
Topic: Mutiple SSTP servers
Replies: 4
Views: 1153

Re: Mutiple SSTP servers

No. Unfortunately Mikrotik's implementation supports only one server per router. You would probably need to create port-forwarding to a virtual router in order to create multiple servers.
by vecernik87
Wed Mar 03, 2021 8:13 am
Forum: Beginner Basics
Topic: Block Router Admin Access from the Wireless Interfaces
Replies: 7
Views: 3784

Re: Block Router Admin Access from the Wireless Interfaces

The OP has clearly stated he is concerned with people accessing the router besides the admin. That is just untrue. Look again on the original question - it barely provides any info. You simply arrived late as always, after there was more info provided. I have sharper hooves so save yourself for ano...
by vecernik87
Wed Mar 03, 2021 1:14 am
Forum: Beginner Basics
Topic: Block Router Admin Access from the Wireless Interfaces
Replies: 7
Views: 3784

Re: Block Router Admin Access from the Wireless Interfaces

@go4030 : Just one question...if my network is /24, I would change the /32 to /24? No. we are talking about dst-address so you are selecting only the destination mikrotik device (single host = /32). If you put /24, you may block access to other devices in theory, depending on your network setup. I'...
by vecernik87
Tue Mar 02, 2021 7:49 am
Forum: Beginner Basics
Topic: Block Router Admin Access from the Wireless Interfaces
Replies: 7
Views: 3784

Re: Block Router Admin Access from the Wireless Interfaces

If they are bridged, it won't be as easy. To be precise - it can't be done with a firewall, because the packet goes to the firewall from the bridge (therefore bridge is the in-interface). In order to block only wireless clients, you need to create the rule in bridge filters: /interface list add name...
by vecernik87
Mon Mar 01, 2021 8:29 am
Forum: Wireless Networking
Topic: WIFI 6 Roadmap
Replies: 199
Views: 143325

Re: WIFI 6 Roadmap

WHere are the 60hz smartphones
Well, talking about that... my friend was testing 5G at his place and came up with some ridiculous number over 600Mbit download... If that really works all around, wifi will be irrelevant in the next decade.
by vecernik87
Wed Feb 24, 2021 3:35 am
Forum: Beginner Basics
Topic: simple switch and WiFi AP (no dhcp, no nat)
Replies: 12
Views: 17300

Re: simple switch and WiFi AP (no dhcp, no nat)

Byt default the wireless interface operates in the station mode. I am not sure if the SSID/key config should be the same SSID as the AP. This would make sense since the station could connect to the AP. The default value probably changed over the years. My understanding was that OP wanted to set the...
by vecernik87
Thu Feb 18, 2021 6:59 am
Forum: General
Topic: Forward between subnets on Bridge
Replies: 1
Views: 553

Re: Forward between subnets on Bridge

Without complete config of router as well as your VPN server it is not easy to solve. My, best wild guess would be that you need to add a firewall-forward rule. (But not to the end, somewhere before "forward - drop all" rule.) If you are unsure or just want to test it, you can put it on to...
by vecernik87
Wed Feb 17, 2021 3:11 am
Forum: Beginner Basics
Topic: WAN & LAN Speed Difference
Replies: 8
Views: 2875

Re: WAN & LAN Speed Difference

I would start with Tools->Torch: zGfg3K8aD1.png If that is not sufficient, you may also go to IP->Firewall->Connections: FlE6De5VpQ.png that should give you enough overview about your WAN connections. From there on, hard to say what you need to do - depends what kind of connections you find
by vecernik87
Tue Feb 09, 2021 11:19 pm
Forum: Beginner Basics
Topic: v6.48.1 - missing comment
Replies: 1
Views: 593

Re: v6.48.1 - missing comment

That is perfectly fine. Comment is related to the connect item, not to the registration item. I know the registration item looks like copy/dependant of connect-item, but it is not. Registration-list is made up from purely dynamic entries and thus, does not have comments.
by vecernik87
Tue Feb 09, 2021 1:02 pm
Forum: RouterBOARD hardware
Topic: bridge hardware offload [SOLVED]
Replies: 2
Views: 2011

Re: bridge hardware offload [SOLVED]

Because your RB750Gr3 features a MT7621 switch chip which does not have many features: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features Almost any setting will disable hardware offload: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading So - you can't use STP...
by vecernik87
Tue Dec 29, 2020 2:19 am
Forum: General
Topic: Tis the Season
Replies: 9
Views: 1618

Re: Tis the Season

I know I took this year easier but... heh... I feel offended now.
As+a+ponykin+i+am+offended+by+that+last+part+_e6521e11bb8f2dd0e0074227198047ae.png
don't take it too seriously :D Happy new year to you too from a land down under
by vecernik87
Mon Dec 21, 2020 11:43 pm
Forum: Beginner Basics
Topic: Site to site VPN with the same IP subnet?
Replies: 1
Views: 1159

Re: Site to site VPN with the same IP subnet?

The VPN settings in quickset isn't really "site to site". It is rather typical road-warrior setup and there is no need for same subnet - your devices will be able to communicate with each other so why limit yourself by putting everything on the same subnet? If they are not able to communic...
by vecernik87
Fri Nov 13, 2020 1:58 pm
Forum: Announcements
Topic: v6.47.7 [stable] is released!
Replies: 45
Views: 26491

Re: v6.47.7 [stable] is released!

I think that a lot of people ask on the forum, dont write to support (the only official contact), and threatens to migrate thousand of devices every time... eventually they stick with MT because it is cheap and they cannot afford something more expensive... :D I often ask on forum, when I suspect t...
by vecernik87
Thu Oct 29, 2020 9:52 am
Forum: General
Topic: What does the advantage put the router before firewall and internet?
Replies: 8
Views: 1492

Re: What does the advantage put the router before firewall and internet?

Be careful with that router ! There is no security if you do not process the logs and alerts. (Ethical hackers first compromise the upfront router, and change the DNS flow) Good point, but that applies to every device, no matter if it is in front or behind the firewall. If the router is correctly s...
by vecernik87
Thu Oct 29, 2020 4:11 am
Forum: RouterBOARD hardware
Topic: PoE power from hAP AC to hAP ac lite?
Replies: 3
Views: 2614

Re: PoE power from hAP AC to hAP ac lite?

Yes it can. RB962UiGS (hAP ac) PoE-out is passive, 11-57V (same as input) up to 700mA, therefore with standard 24V power adapter about 16W RB952Ui (hAP ac lite) PoE-in is also passive, 10-28V, requires 8W for on its own (and up to 20W total if there is another PoE daisy-chained device) The only car...
by vecernik87
Tue Oct 27, 2020 11:00 pm
Forum: General
Topic: Permanent NAT interface
Replies: 6
Views: 976

Re: Permanent NAT interface

Another way would be to create a static "server binding" interface. But that can be used only if the client makes only one connection at a time.
by vecernik87
Mon Oct 26, 2020 9:16 am
Forum: General
Topic: Old bug, PING SRC-ADDRESS does not work
Replies: 6
Views: 1960

Re: Old bug, PING SRC-ADDRESS does not work

If you don't want to post your config (of course make it anonymous by replacing all identifiable data) it is hard to understand what could be wrong. Also, you didn't explain in detail what exactly does not work. (i.e. describe in detail your action, expected behavior and observed behavior). This des...
by vecernik87
Mon Oct 26, 2020 4:01 am
Forum: Beginner Basics
Topic: Lots of crap in Firewall logs - request rules review please? [SOLVED]
Replies: 6
Views: 1712

Re: Lots of crap in Firewall logs - request rules review please? [SOLVED]

Excellent example of " do NOT trust that " video. The video itself is nice and well explained but there are two major issues which are easy to miss: 1) Those rules are are opening your network to the world. The author did not specify which interface it applies to, therefore it will allow a...
by vecernik87
Mon Oct 26, 2020 12:21 am
Forum: General
Topic: Old bug, PING SRC-ADDRESS does not work
Replies: 6
Views: 1960

Re: Old bug, PING SRC-ADDRESS does not work

I tested it just now, to confirm... Works as expected: by setting up the src-address in the source router, the destination router sees different source ip address (confirmed by running /tool sniffer quick on the destination router: [admin@mikrotik1] > ping 10.245.24.1 src-address=192.168.0.1 SEQ HO...
by vecernik87
Fri Oct 23, 2020 1:14 pm
Forum: General
Topic: What does the advantage put the router before firewall and internet?
Replies: 8
Views: 1492

Re: What does the advantage put the router before firewall and internet?

This topology makes sense if your router can't do required firewalling and firewal unable to do required routing. Typical for NGFW or IPS - these systems need to see data flowing including client's IP, therefore if they are before the router, client's IP might be NATted and in that case, it will be ...
by vecernik87
Fri Oct 23, 2020 7:03 am
Forum: Beginner Basics
Topic: System,error,critical login failure
Replies: 7
Views: 37137

Re: System,error,critical login failure

i have recent problem.. someone/thing tried to login via winbox but from the router IP itself (172.26.0.1) pics attached.. please, need help.. thank you.. this looks more like TheDude ... Probably added the device and now its trying to log in (enabled by default). find the device and uncheck "...
by vecernik87
Wed Oct 21, 2020 8:30 am
Forum: RouterOS beta
Topic: Feature Request : Non routable Management VLAN
Replies: 6
Views: 2065

Re: Feature Request : Non routable Management VLAN

There should be a setting for this in the router (and Mikrotik switches too) to avoid routing between other interfaces and the management VLAN interface. There is such setting: /ip firewall filter add action=drop chain=forward place-before=0 out-interface=vlan-mgmt Obviously, replace the vlan-mgmt ...
by vecernik87
Mon Oct 19, 2020 8:56 am
Forum: General
Topic: Microtik and AD
Replies: 3
Views: 683

Re: Microtik and AD

If you don't want them to use the 8.8.8.8, don't give it to them. Simple as that. Define the DNS in ip->dhcp->networks so only your DC DNS will be distributed to clients. If you provide the 8.8.8.8 to your clients, there is no way to guarantee they won't use it. Is there any reason to give your clie...
by vecernik87
Mon Oct 19, 2020 1:53 am
Forum: Beginner Basics
Topic: Unknown setting is preventing a DNS change [SOLVED]
Replies: 4
Views: 1253

Re: Unknown setting is preventing a DNS change [SOLVED]

c'mon Anav, you can do better :P CTRL+F -> type "53" and thats it... Picked it up in less than 10 seconds: add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=\ udp to-addresses=0.0.0.0 to-ports=53 DNS traffic not going to the router will be redirected to 0.0.0.0 ...
by vecernik87
Thu Oct 15, 2020 8:24 am
Forum: RouterBOARD hardware
Topic: hAP ac² High temperature
Replies: 61
Views: 27580

Re: hAP ac² High temperature

Nobody ever claimed that temperature does not matter. Temperature does matter and it is stated in the specs: "Tested ambient temperature -40°C to 50°C" That means, it is guaranteed to work, as long as the temperature around the router does not go over 50°C. By putting it on direct sunlight...
by vecernik87
Thu Oct 15, 2020 5:14 am
Forum: SwOS
Topic: Number of SWOS VLANs
Replies: 7
Views: 3588

Re: Number of SWOS VLANs

RouterOS by default does not filter VLANs on bridge at all and lets them flow everywhere (as if all ports had all VLANs enabled as tagged). The only advantage of tagging switch ports is, that it will allow you to create access/edge ports (ports where particular VLAN is untagged)
by vecernik87
Thu Oct 15, 2020 1:14 am
Forum: Beginner Basics
Topic: WOL before RDP
Replies: 2
Views: 1320

Re: WOL before RDP

Unfortunately, there is no easy way of doing this. Mikrotik can do a LOT with the firewall rules and scripts, but there is no built-in mechanism to trigger a script based on firewall rule. I can think of two workarounds: Prefered way - I hope (please, don't disappoint me!) that every employee connec...
by vecernik87
Wed Oct 14, 2020 11:35 am
Forum: Beginner Basics
Topic: Home User RouterOS Consultancy - Uber for MikroTik
Replies: 12
Views: 1934

Re: Home User RouterOS Consultancy - Uber for MikroTik

In other words, OP is asking for a normal help, which all 3 of us provide here on regular basis for free.. (at least I didn't get paid yet) @dazzaling69 : don't make a big deal out of it. Just ask for specific things because nobody will give you a full-blown lecture on all networking stuff. If you h...
by vecernik87
Wed Oct 14, 2020 9:36 am
Forum: General
Topic: License Purchase Issue! [SOLVED]
Replies: 1
Views: 764

Re: License Purchase Issue! [SOLVED]

If you were purchasing from official mikrotik page (not from reseller) then it would be better to contact mikrotik directly. This is just a forum and no official support (definitely not in regards of sales/payments) is guaranteed. In the checkout process, I noticed a reference to "sales@mikroti...
by vecernik87
Wed Oct 14, 2020 9:27 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 33
Views: 12380

Re: (BUG) Dude Client crashing on device details and charts

I didn't ask about this detail, but I assume, they are just pointing out the fact, that any TheDude Agent (any RouterOS device) must be same version as TheDude Server. That is known requirement for TheDude Agents, but fortunately, if you don't want to use Agents, you don't need to upgrade monitored ...
by vecernik87
Wed Oct 14, 2020 9:18 am
Forum: General
Topic: Firewall NAT , Route List Setting is will running
Replies: 4
Views: 971

Re: Firewall NAT , Route List Setting is will running

You didn't provide much info (especially, you did not bother to say what interface was there in the first place), but given your routing mark names, I assume that all these rules are related to a dynamic VPN interfaces, most likely you are running server and clients are connecting and everytime clie...
by vecernik87
Wed Oct 14, 2020 9:07 am
Forum: Beginner Basics
Topic: Accidently, I removed Interface ether1.
Replies: 5
Views: 1486

Re: Accidently, I removed Interface ether1.

Is that even possible Normis? To remove the ethernet interface itself? Yes. Every model has this feature. All you need is a chisel or big screwdriver. Apply lot of pressure on the port and the interface will come off. I am pretty sure Normis is trying to understand what OP actually means same as ev...
by vecernik87
Wed Oct 14, 2020 8:59 am
Forum: Wireless Networking
Topic: Groove A52AC
Replies: 2
Views: 1109

Re: Groove A52AC

also depends on frequency (2GHz reach further than 5GHz) and required speed (you can achieve longer distance with lower speeds) and many other parameters. Keep in mind that it will not instantly shut off... but reliability will slowly decrease as you increase the distance. If you want a simple answe...
by vecernik87
Tue Oct 13, 2020 8:45 am
Forum: The Dude
Topic: Why is my equipment down?
Replies: 2
Views: 2780

Re: Why is my equipment down?

Is it possible that your dude is trying to reach the router by its WAN IP and that IP changed after the restart?
by vecernik87
Tue Oct 13, 2020 5:09 am
Forum: RouterBOARD hardware
Topic: hAP ac² High temperature
Replies: 61
Views: 27580

Re: hAP ac² High temperature

you have a black router under direct sunlight? well... no wonder it gets hot.

Instead of drilling holes, even simple piece of white paper would help more
by vecernik87
Tue Oct 13, 2020 5:04 am
Forum: RouterOS beta
Topic: how to understand routing in v7
Replies: 7
Views: 4122

Re: how to understand routing in v7

Cmon, he tried to help you and there is not a single negative point in his reply. The least you can do is not insult him. Since you did not bother to say, that you went through these pages (calling it "short little blurb" didn't help), it was safe to assume you didn't read it and you might...
by vecernik87
Tue Oct 13, 2020 3:16 am
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 100
Views: 58848

Re: WinBox v3.27 released!

The latest Winbox versions do not save settings such as "Inline comments" and "Hide Passwords". Yes it does. I just tested both switches and it works. Screenshot 2020-10-13 111156.png This is from latest winbox v3.27 (unfortunately it does not show the version in the open window)
by vecernik87
Tue Oct 13, 2020 3:04 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 33
Views: 12380

Re: (BUG) Dude Client crashing on device details and charts

I got an info on my bug report [SUP-20571] that they resolved the issue and the fix will be released in upcoming RouterOS update.

Hurray :)
by vecernik87
Tue Oct 13, 2020 2:21 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 1628

Re: Vlan not working for me,

... the network is not stable at all sometimes it connects and sometime it does not. can mean anything. I couldn't agree more. Unfortunately I don't know anything further (yet). I provided reasonable step-by-step guide to OP so we can narrow down the issue (you know - ping this, ping that, connect ...
by vecernik87
Tue Oct 13, 2020 1:14 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 1628

Re: Vlan not working for me,

@sob : thank you thank you thank you! First person saying that I didn't go crazy. btw:my last suggestion to OP in different conversation was exactly as yours - remove the bridge to minimize possible impact. He didn't reply yet so we will wait. @anav : Great. Now we are talking :) Sorry for stroking...
by vecernik87
Mon Oct 12, 2020 11:53 pm
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 1628

Re: Vlan not working for me,

@anav: I didn't want to reply here because I was trying to help this guy in some other place and I hoped that another pair of eyes will notice the issue. I went through it and couldn't spot any mistake (I missed the IP on Ether2 which should be on bridge, but that shouldn't cause issues with VLANs t...
by vecernik87
Wed Oct 07, 2020 4:44 am
Forum: General
Topic: DoH config ignores local static entries
Replies: 7
Views: 1572

Re: DoH config ignores local static entries

It is quite similar to previously repaired "*) dns - do not use DoH for local queries when a server is specified;" in 6.47.1 - in both cases DOH took priority from specified server or local static entry. Unfortunately this is known issue (for any forum user), reported several times since 6...
by vecernik87
Tue Oct 06, 2020 1:51 am
Forum: Scripting
Topic: Script modem reboot
Replies: 5
Views: 1950

Re: Script modem reboot

No matter what solution you choose, I agree that this is likely not doable with simple mikrotik script. Mikrotik can detect loss of connectivity and has simple, yet sufficient scripting language for any tasks done within RouterOS . It has no ability to interact with external tools except sending ema...
by vecernik87
Mon Oct 05, 2020 6:53 am
Forum: Beginner Basics
Topic: Cant' renew license---could not resolve DNS name error
Replies: 3
Views: 1407

Re: Cant' renew license---could not resolve DNS name error

Okay, he seem to be bit confused with rules (e.g. allowing forward/input for DNS from ALL interfaces - pretty sure it should be allowed only from internal / customer facing interface), but I don't see any rule, which should prevent router itself to use DNS. I still believe that his router shouldn't ...
by vecernik87
Fri Oct 02, 2020 10:18 am
Forum: Virtualization
Topic: Winbox has been disconnected
Replies: 6
Views: 8385

Re: Winbox has been disconnected

how did you actually "migrate" ? If you copy/paste config, you might have MAC colission...
by vecernik87
Fri Oct 02, 2020 7:19 am
Forum: Beginner Basics
Topic: Cant' renew license---could not resolve DNS name error
Replies: 3
Views: 1407

Re: Cant' renew license---could not resolve DNS name error

So your clients can use google DNS but your router can't? that seems bit strange
by vecernik87
Thu Oct 01, 2020 10:27 am
Forum: The Dude
Topic: When Link Down it should change colour
Replies: 2
Views: 2921

Re: When Link Down it should change colour

afaik, not possible. The color changes gradually, based on traffic as a % of available bandwidth (by default black = no/small traffic, red = traffic using 100% of link capacity, as defined in link settings) This would be actually great feature request, if mikrotik was still developing TheDude. Unfor...
by vecernik87
Thu Oct 01, 2020 2:19 am
Forum: General
Topic: EoIP not working as expected
Replies: 4
Views: 1352

Re: EoIP not working as expected

What @sindy said is right. Firstly make sure that MAC spoofing (promiscuous mode) is enabled and that VLANs are allowed in the virtual switch. the bug which @sindy mentioned is clearly related to my earlier investigation: https://forum.mikrotik.com/viewtopic.php?t=144744 I will test further because ...
by vecernik87
Wed Sep 30, 2020 6:02 am
Forum: General
Topic: Redundant EIOP tunnel [SOLVED]
Replies: 2
Views: 1453

Re: Redundant EIOP tunnel [SOLVED]

Yup, my setup as described in the link would work perfectly in this situation. 1) Run two EoIP per each branch 2) merge them using bridge or mesh (mesh will give you literary zero packet failover) 3) modify path costs in bridge-ports / mesh-ports to specify which tunnel has priority and which one is...
by vecernik87
Tue Sep 29, 2020 12:05 pm
Forum: General
Topic: The problem of "communication" of different subnets in one bridge
Replies: 4
Views: 932

Re: The problem of "communication" of different subnets in one bridge

well, clearly the issue occurs when the traffic needs to pass through router. I don't think there is anything you could stuff up with the config - you described it very clearly (which makes me think that you know what you are doing). Two things to check: 1) do you have firewall rules allowing traffi...
by vecernik87
Tue Sep 29, 2020 3:41 am
Forum: General
Topic: VPN Site - Site + Road Warrior [SOLVED]
Replies: 9
Views: 3117

Re: VPN Site - Site + Road Warrior [SOLVED]

Have you ever done that? Can you explain to me how you did it? Of course. Otherwise I wouldn't talk about it :D One of my current setups is following: https://app.diagrams.net/#Uhttps%3A%2F%2Fdrive.google.com%2Fuc%3Fid%3D1pqnKtG0pdkHpXwzonfnEBs0z8L3UmKhJ%26export%3Ddownload https://drive.google.com...
by vecernik87
Tue Sep 29, 2020 1:47 am
Forum: General
Topic: Feature request
Replies: 1
Views: 626

Re: Feature request

If you want something cool, go and buy UBNT. If you want something functional, don't expect coolness.

Personally, I am glad that people who are after coolness aren't buying Mikrotik, because it means less stupid questions and complains from people who have absolutely no idea about networking.
by vecernik87
Thu Sep 24, 2020 11:13 am
Forum: RouterBOARD hardware
Topic: hAP ac³ switch chip?
Replies: 11
Views: 3943

Re: hAP ac³ switch chip?

..lot of new mikrotik devices have those low-cost retarded switches like RTL .. These "retarded" switches need to be understood as simple port-extenders. Maybe it is the cheapest way to make a multi-port router. I had similar way of thinking like you but then I realised we really should n...
by vecernik87
Thu Sep 17, 2020 8:31 am
Forum: General
Topic: EOIP blocking TCP
Replies: 16
Views: 2926

Re: EOIP blocking TCP

Nice job testing and describing the problem! Can it be possibly MTU issue? I have many EoIP tunels and they certainly don't block anything. I literary just tested SSH on my production machines and it went through without any issue. The only other option I can think of is some bridge trouble (bridge ...
by vecernik87
Wed Sep 16, 2020 7:14 am
Forum: General
Topic: Can't login here with my password from 12 September 2020
Replies: 4
Views: 1160

Re: Can't login here with my password from 12 September 2020

I second @Znevna - I reset my password with the same which I used previously. And since I already had strong password enough, I had no issue with it.
by vecernik87
Tue Sep 15, 2020 7:58 am
Forum: The Dude
Topic: The Dude - Confusion
Replies: 1
Views: 2749

Re: The Dude - Confusion

I usually do this with a VPN to my server. Then, as long as the remote router has access to the internet, I can see them online and connect to them, even if they put the router behind NAT Dude itself is on-demand monitoring (server has to see clients and sends them requests, clients respond). Good t...
by vecernik87
Tue Sep 15, 2020 5:44 am
Forum: Announcements
Topic: Expected down time for this forum SEPT 11
Replies: 42
Views: 18643

Re: Expected down time for this forum SEPT 11

If password does not work and @krisjanis was upgrading the PHP version, there is likely different hashing algorithm. I mean... it shouldn't be because afaik each hash has short prefix announcing what algorithm is used, but I can imagine that phpBB forum detected new PHP version and forced different ...
by vecernik87
Tue Sep 15, 2020 2:19 am
Forum: Beginner Basics
Topic: ERROR: wrong username or password
Replies: 9
Views: 24294

Re: ERROR: wrong username or password

Interesting finding! thanks for feedback.
If the data are just forwarded (i.e. not ROMON etc), I find it unexpected for any router to modify/corrupt packets. Rather, I would guess that the interim router was accepting the packets and replying on its own possibly?
by vecernik87
Tue Sep 15, 2020 2:07 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 9585

Re: Blocking Facebook, Tiktok and other websites

Blocking all IP from particular ASN will work only for services which have their ASN and do not serve their content from any other IP (Google,FB). However, it will also block other services, which are hosted on those IPs (e.g. google has their google cloud platform hosting heaps of 3rd party website...
by vecernik87
Mon Sep 14, 2020 10:50 am
Forum: Beginner Basics
Topic: ERROR: wrong username or password
Replies: 9
Views: 24294

Re: ERROR: wrong username or password

"wrong password" may appear if the user is not allowed to log in from used IP. check your users, whether they have limited addresses. e.g: [vecernik@mikrotik] > /user export /user add group=full name=vecernik add address=10.11.12.0/24 group=read name=test As you can see, user "vecerni...
by vecernik87
Mon Sep 14, 2020 10:42 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 9585

Re: Blocking Facebook, Tiktok and other websites

Reliable block is impossible. No matter what suggestions will come later, I can guarantee that I will be able to figure out a way to get through, unless you completely block me from the internet. Partially reliable and very easy will be DNS method - force all DNS requests to mikrotik (dst-nat) and t...
by vecernik87
Mon Sep 14, 2020 10:24 am
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 28
Views: 8139

Re: CVE-2020-11881 PATCH [SOLVED]

I do not check them "so closely" and I think in 99% of time few days does not matter. I accept your point that this may be part of the thorough testing process for Longterm branch. (I edited my original post now to reflect this) But if BootlabsDev claims: The bug was reported on 06.04.2020...
by vecernik87
Mon Sep 14, 2020 10:14 am
Forum: General
Topic: Hiding other devices
Replies: 3
Views: 1335

Re: Hiding other devices

In theory, you could create bridge-filter rules (not IP filter because it is on the same LAN, therefore L2 traffic, not L3), which will for example block ARP requests to particular IP addresses from your phone, but again, phone can easily change MAC, therefore its not really a protection. Best solut...
by vecernik87
Mon Sep 14, 2020 10:07 am
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 28
Views: 8139

Re: CVE-2020-11881 PATCH [SOLVED]

Normis, I appreciate the new version which includes the fix, but please, do not fake release dates. EDIT: Understood. Date is related to "build" not "release". This release was definitely not live week ago, on 7th September. Why does changelog (and your post) claim it was? The to...
by vecernik87
Fri Sep 11, 2020 5:08 am
Forum: General
Topic: Ampache & RouterOS web server on hAP ac2
Replies: 9
Views: 1880

Re: Ampache & RouterOS web server on hAP ac2

you got it right - it is not implemented. What you did not get is, that it will never be implemented. As it was said earlier, router is not a multipurpose device and should not be perceived that way. Some people like to tinker with their devices so they managed to run this music screaming server on ...
by vecernik87
Thu Sep 10, 2020 5:54 am
Forum: General
Topic: VLANs on RouterBoard not working [SOLVED]
Replies: 8
Views: 1345

Re: VLANs on RouterBoard not working [SOLVED]

I am very glad that it helped :) re. your second question: When working with /interface bridge port , each row has its own number as a unique indentifier (if you know SQL, imagine it as a primary key in the DB). Then, each row has parameters (e.g. interface, pvid etc..). Your command actually said t...
by vecernik87
Thu Sep 10, 2020 5:08 am
Forum: General
Topic: VLANs on RouterBoard not working [SOLVED]
Replies: 8
Views: 1345

Re: VLANs on RouterBoard not working [SOLVED]

You need to add "tagged bridge1" to your /interface bridge vlan . The relevant section should look like this: /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether9 untagged=ether2 vlan-ids=20 add bridge=bridge1 tagged=bridge1,ether9 untagged=ether3,ether4,ether5,ether6,ether7,eth...
by vecernik87
Fri Sep 04, 2020 3:05 pm
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 3020

Re: WOL over VPN

Of course you get reply on the ping. Question is whether you get reply from the device or from the router. check your ARP records, your source device should see target IP with the correct MAC. Thats why I asked this - the ARP record in your computer will prove, whether it is the device (therefore yo...
by vecernik87
Thu Sep 03, 2020 8:16 am
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 3020

Re: WOL over VPN

WOL is L2 functionality (you are sending packet to particular MAC address, therefore it will work only if your source and target devices are on the same L2 segment (to dumb it down - within the same LAN and same VLAN, not behind a router, not different VLAN). VPN may or may not be bridged (having sa...
by vecernik87
Tue Sep 01, 2020 8:54 am
Forum: Beginner Basics
Topic: [Q] how to add multiple firewall ip address in a single list?
Replies: 5
Views: 4416

Re: [Q] how to add multiple firewall ip address in a single list?

It is not unfortunate display. You are not really creating lists. You are creating address entries which have property "list" . As long as the property "list" is same, entries are considered to be part of the same list. Once you use the list somewhere, all entries with the same p...
by vecernik87
Fri Aug 28, 2020 5:13 am
Forum: RouterBOARD hardware
Topic: RB5011
Replies: 40
Views: 22844

Re: RB5011

I had no intention to say that it needs to be modified. I meant that "I wish for it, but I understand that it is not possible". After all, every device is perfect for particular task and it depends how we balance performance/price. I don't think that getting second SFP would be good justif...
by vecernik87
Thu Aug 27, 2020 1:42 am
Forum: RouterOS beta
Topic: Y u no can specify an interface in routers like you used to be able to?
Replies: 5
Views: 1467

Re: Y u no can specify an interface in routers like you used to be able to?

its just public beta... half of things does not work and it is expected. You should not use it anywhere else than testing lab...
by vecernik87
Wed Aug 26, 2020 8:30 am
Forum: General
Topic: VPN Site - Site + Road Warrior [SOLVED]
Replies: 9
Views: 3117

Re: VPN Site - Site + Road Warrior [SOLVED]

... and thats exactly why I prefer to run GRE/EoIP through IPSec - keeping the policy is as simple as possible. Internal IP traffic is then going through normal routing process and you can even easily match interfaces for VPN traffic in firewall instead of using "WAN" port as with IPSec.
by vecernik87
Wed Aug 26, 2020 8:21 am
Forum: RouterOS beta
Topic: Feature Request - Enterprise features like VSS, ZTP, IPv6 L3 HW offloading and SD-WAN
Replies: 13
Views: 3779

Re: Feature Request - Enterprise features like VSS, ZTP, IPv6 L3 HW offloading and SD-WAN

VSS - that would be nice ZTP - already available, although not completely out-of-box as with UBNT. Only true form of out-of-band management is a serial port and that is available. L3 HW offloading - in development, although it seems having some limitation (quite small amount of connections can be m...
by vecernik87
Tue Aug 25, 2020 6:45 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 88
Views: 39516

Re: v6.47.2 [stable] is released!

Very bad! I have hAP ac, after updating to version 6.47.2 I can no longer connect to the 5GHz network, only the 2.4GHz network is available, although the 5GHz module in the router settings has the status "running". I would never recommend MikroTik products because the software is very uns...
by vecernik87
Mon Aug 24, 2020 10:43 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 88
Views: 39516

Re: v6.47.2 [stable] is released!

All you have to do is back up your settings before upgrading and reset the router to default configuration, then upgrade router and then restore your backup . Even poor admins should not restore backup on other device or version that differs from where it was made. There is no problem restoring the...
by vecernik87
Mon Aug 24, 2020 7:02 am
Forum: Scripting
Topic: My Backup file contains malicious scripts
Replies: 5
Views: 2160

Re: My Backup file contains malicious scripts

Netinstall - the only way to get rid of hidden stuff...
by vecernik87
Mon Aug 24, 2020 2:13 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control
Replies: 12
Views: 7138

Re: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control

I always thought that TCP congestion control is managed by endpoints? (e.g. web browser and web server) My understanding of BBR is, that endpoints are "smarter" and learn how the network behaves. Then they adjust sending rate based on this info. Network itself (any router on the path) is u...
by vecernik87
Sat Aug 22, 2020 12:02 pm
Forum: RouterBOARD hardware
Topic: RB5011
Replies: 40
Views: 22844

Re: RB5011

I think Design 1 is quite limited for nowadays - only 1G ports won't be very interesting, when almost every enthusiast/prosumer is lookig at >1Gbit. However, with correct agressive pricing, it might be still a great lower-mid range router. You could also drop the memory and flash to lower values to ...
by vecernik87
Fri Aug 21, 2020 1:06 pm
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 18927

Re: Remote Management Access using Public IP

1+3) If we are talking about spoofing IP for TCP connection, then attacker must be on the route between original IP which he is trying to spoof and the target. Otherwise he will never get the reply, therefore no TCP connection... Statistics are applicable only if you are talking about random hacker ...
by vecernik87
Fri Aug 21, 2020 11:11 am
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 18927

Re: Remote Management Access using Public IP

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP. 2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity&q...
by vecernik87
Fri Aug 21, 2020 2:29 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 88
Views: 39516

Re: v6.47.2 [stable] is released!

hAP Lite - not enough space for upgrade Thats a ~18 Euro hardware, dont expect much from such a device... That may apply for other manufacturers but not for Mikrotik. It is expected that software release will work on every supported device, no matter the price. Anyway, not enough space means most l...
by vecernik87
Thu Aug 20, 2020 4:28 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 88
Views: 39516

Re: v6.47.2 [stable] is released!

Are you guys serious? The second update, in the last couple of months, with problems you don't expect at all. One core is constantly 100% loaded with something incomprehensible. https://c.radikal.ru/c39/2008/2c/6e9b16a53516t.jpg At the moment, the download has dropped. But I would like to know what...
by vecernik87
Thu Aug 20, 2020 3:35 am
Forum: Virtualization
Topic: BUG: Bridge not work with MTU=1500
Replies: 2
Views: 5867

Re: bug: Bridge not work with MTU>1500

Can you please test with smaller packets as well? Quite a while ago, I encountered similar issue, where VLAN-tagged packets were not passing through the bridge in CHR but everything worked fine when I bound VLAN to an ethernet interface. All details here: https://forum.mikrotik.com/viewtopic.php?f=1...
by vecernik87
Tue Aug 11, 2020 7:52 am
Forum: General
Topic: DHCP conflict detection issue
Replies: 4
Views: 13557

Re: DHCP conflict detection issue

I think you may be right. It is possible that originally they checked just by ICMP ping (compulsory by RFC) and now they are checking both ICMP and ARP (Optional by RFC). Reality is, that many devices refuse to answer ICMP on public interface so ICMP is not enough. What makes me sad is, that I alrea...
by vecernik87
Tue Aug 11, 2020 7:40 am
Forum: General
Topic: EoIP low performance
Replies: 3
Views: 2550

Re: EoIP low performance

I would say it is error in the testing method. I couldn't do it properly (correctly, Device-under-test should not be the one which generates/consumes the traffic) so I just took the first two devices I know of where I already have EoIP and ran the btest between them. In UDP mode, it easily went to 1...
by vecernik87
Fri Aug 07, 2020 3:49 am
Forum: General
Topic: DHCP conflict detection issue
Replies: 4
Views: 13557

Re: DHCP conflict detection issue

Conflict detection was always there (RFC requirement for DHCP servers). MT just added a checkbox to disable it (I am still puzzled who would need that because it breaks RFC). Hotspot is quite proprietary function, thus not covered by RFC. If you are having issues right now, I would recommend to incr...
by vecernik87
Fri Jul 31, 2020 8:27 am
Forum: General
Topic: DNS resolution vulnerability
Replies: 14
Views: 4048

Re: DNS resolution vulnerability

*facepalm* silly me :D Always forget to check gravediggers
by vecernik87
Fri Jul 31, 2020 6:30 am
Forum: General
Topic: DNS resolution vulnerability
Replies: 14
Views: 4048

Re: DNS resolution vulnerability

Sorry but i have to concur with marko. Default config with drop 53 added : Default config contains universal drop rule. You shouldn't need those individual drop rules. If you need them, you are clearly missing some important part. (you or someone else likely deleted that) To confirm original, unmod...
by vecernik87
Fri Jul 31, 2020 6:14 am
Forum: General
Topic: Masquerade rule on dynamic interface? [SOLVED]
Replies: 2
Views: 1656

Re: Masquerade rule on dynamic interface? [SOLVED]

if the user can't connect more than once at a time, then you can simply create static "L2TP server binding" which will create your interface permanently. Alternative, possibly better way (no matter how many connections are we talking about) is to add profile, with selected "interface ...
by vecernik87
Wed Jul 29, 2020 10:09 am
Forum: Beginner Basics
Topic: mac address isolation
Replies: 2
Views: 1188

Re: mac address isolation

Unless it is very VERY unusual website, there will be external dependencies and that will make the website unusuable with any kind of firewall filter filter L7 filtering is best done in the browser itself, because browser can actually distinguish, if the request is website or if it is just a depende...
by vecernik87
Wed Jul 29, 2020 1:47 am
Forum: Beginner Basics
Topic: Hardware offload
Replies: 4
Views: 5745

Re: Hardware offload

@plisken : I am afraid that @CZFan is right. Your RB750Gr3 uses switch chip in MT7621 and that has almost no features supported with bridge offload. Not even STP/RSTP. you can check it here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading @CZFan : thanks for pointi...
by vecernik87
Thu Jul 23, 2020 9:05 am
Forum: Wireless Networking
Topic: RoMon
Replies: 2
Views: 1286

Re: RoMon

Can't say for sure whether it is the case, but I know for sure that some UBNT devices (Unifi switches and Edge Switches are those which I tested) do not forward ROMON packets because the ethertype and MAC addresses are unusual. This whole ROMON network is a nice idea but too much proprietary and unu...
by vecernik87
Thu Jul 23, 2020 7:54 am
Forum: General
Topic: Long waiting time for internet access
Replies: 2
Views: 1130

Re: Long waiting time for internet access

During the time when internet access is unavailable, I would: ping the gateway/router, ping the other computer (should be on the same LAN, right?) ping some public IP (e.g. 1.1.1.1 or 8.8.8.8 ) try to resolve some domain with default DNS (e.g. nslookup google.com) try to resolve some domain with spe...
by vecernik87
Mon Jul 20, 2020 6:08 am
Forum: The Dude
Topic: Can Dude monitor a Win10 PC with firewall on?
Replies: 6
Views: 4359

Re: Can Dude monitor a Win10 PC with firewall on?

when ping is blocked, ARP request usually does the job if you are on the same L2 segment. Unfortunately, TheDude does not have ARP probe, so the only way I know of is a script in RouterOS
by vecernik87
Sun Jul 19, 2020 10:34 am
Forum: General
Topic: Intermittent internet
Replies: 7
Views: 3629

Re: Intermittent internet

symptoms are typical for MTU issues... Maybe you need to add mangle with MSS clamp? Or just allow ICMP?

Anyway, you can confirm it by trying to ping with large packets:
ping 1.1.1.1 size=1500 do-not-fragment
by vecernik87
Sun Jul 19, 2020 5:34 am
Forum: Beginner Basics
Topic: Webfig login hack
Replies: 14
Views: 23438

Re: Webfig login hack

OP is funny. On the one hand, he is aware of tenable's exploits. On the other hand, he is unable to use them (despite the fact there is Proof of Concept script for every single exploit). @OP : Just reset the thing and live with it... Nobody with consiousness will guide you how to hack a device. Sinc...
by vecernik87
Fri Jul 17, 2020 1:12 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7816

Re: Traffic to blocked address still succeeds. Why? A bug?

any proxy is generally very powerful because it actually processes the request (therefore it understands exactly what is being requested and returned) but https proxies are also serious security threat - for HTTPS or generally SSL encrypted traffic (nowadays majority of internet traffic) you need to...
by vecernik87
Thu Jul 16, 2020 10:58 am
Forum: Wireless Networking
Topic: Wireless problem with Apple devices
Replies: 15
Views: 5099

Re: Wireless problem with Apple devices

AFAIK this is normal behavior from apple - they disconnect to save the power, when display is off (or device is locked) and they connect on regular basis to allow apps get updates/messages/notifications https://discussions.apple.com/thread/250285673 https://apple.stackexchange.com/questions/218354/h...
by vecernik87
Thu Jul 16, 2020 10:46 am
Forum: Forwarding Protocols
Topic: Client side VPN connection issues
Replies: 2
Views: 1393

Re: Client side VPN connection issues

Sorry man, my crystal ball is in the service today so my clairvoyance ability is disabled for now :(

bit more serious advice: If you are losing customers, hire a consultant. If you want help, no matter where, provide info. Without info, nobody can help.
by vecernik87
Thu Jul 16, 2020 10:36 am
Forum: Beginner Basics
Topic: Secondary routes
Replies: 3
Views: 1623

Re: Secondary routes

or you can just run GRE/EoIP within ipsec to make it nice routable tunnel... Is it naughty? yes. Does it cause more overhead? Yes. Does it make the whole management and failover easier to understand? Yes. You choose what is the priority :) ps: I am even more naugthy. I actually run EoIP with Mesh (H...
by vecernik87
Thu Jul 16, 2020 10:21 am
Forum: Announcements
Topic: IP Cloud
Replies: 79
Views: 159542

Re: IP Cloud

@AlexRodac : You can't do much. "IP Cloud" is just fancy name for Dynamic DNS. It helps if you have public dynamic IP - that means real world routable IP which can randomly change anytime. Everytime IP changes, mikrotik will update the DNS entry and point the same unique domain name to th...
by vecernik87
Tue Jul 14, 2020 3:58 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 146
Views: 94666

Re: v6.47.1 [stable] is released!

is it REALLY worth it!???? Yes it is. Lets call it planned obsolescence and whats the first rule of planned obsolescence? We don't talk about it! Ok, lets go from conspiracy theories back to the reality: It is well known that this is not a technical limitation. e.g. Mikrotik Audience with IPQ-4019 ...
by vecernik87
Mon Jul 13, 2020 1:41 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 146
Views: 94666

Re: v6.47.1 [stable] is released!

@jsadler: Do you have some switch chip configuration on those particular devices with faults? It might be relevant because quite a while ago, I had an experience with RBD52G (using Atheros 8327 switch chip) that some features from switch-chip menu were causing serious packet loss to a degree I had ...
by vecernik87
Sat Jul 11, 2020 1:30 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 146
Views: 94666

Re: v6.47.1 [stable] is released!

I think this might be about :resolve command with server parameter specified. E.g.: :put [:resolve google.com server=8.8.8.8] :put [:resolve example.com server=10.10.10.10] You may be right davis! I tested it just now with 6.47 (not working) vs 6.47.1 (working). So it was just misunderstanding of t...
by vecernik87
Fri Jul 10, 2020 3:29 pm
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 146
Views: 94666

Re: v6.47.1 [stable] is released!

Already reported for 6.48beta, but applies here, too:
*) dns - do not use DoH for local queries when a server is specified;
This is about forwarding? Looks like queries are still sent via DoH for me.
Anybody made this work?
Not working on mine either.
by vecernik87
Thu Jul 09, 2020 12:03 pm
Forum: General
Topic: Feature request: IPSec Support of DH group 31 (EC25519)
Replies: 5
Views: 3495

Re: Feature request: IPSec Support of DH group 31 (EC25519)

I don't think this is a sensitive/touchy topic. Official way to ask for features is going to your distributor and asking them. They will ask mikrotik (because your distributor is mikrotik's customer) and based on some magical formula, mikrotik may decide to implement it. Asking on forum is possible ...
by vecernik87
Thu Jul 09, 2020 3:26 am
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 9
Views: 3566

Re: BUG: DNS USE ONLY DOH

Gosh, I couldn't agree more. In no way I meant to say that L7 NAT hack is ideal. I actually hate it because it does not apply to RouterOS itself (Prerouting is not in Output chain) But as you acknowledged, it is better than nothing, if you can't have dedicated DNS appliance. I guess we are really pu...
by vecernik87
Wed Jul 08, 2020 2:00 pm
Forum: General
Topic: IPSEC Policy BUG - version 6.47
Replies: 4
Views: 1702

Re: IPSEC Policy BUG - version 6.47

afaik, this seems to be known issue when a person uses an old winbox. (current version is 3.24)
Since it is not a new bug, there is not much reason to send it individually to support and waste their time.
by vecernik87
Wed Jul 08, 2020 1:48 pm
Forum: RouterBOARD hardware
Topic: PPTP 1000Mbit - which router should I choose?
Replies: 5
Views: 2385

Re: PPTP 1000Mbit - which router should I choose?

You probably mean PPPoE, right? In that case, almost any Gbit capable router should do the job. I would avoid those, which achieve gigabit just barely and/or have only single core. (e.g. RB2011) RB750Gr3 (hEX) if you want cheap-cheap RB760iGS (hEX S) if you want optical fiber RBD52G (hAP ac2) if you...
by vecernik87
Wed Jul 08, 2020 12:31 pm
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 9
Views: 3566

Re: BUG: DNS USE ONLY DOH

That is a theory but unfortunately this does not work with DOH right now . Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel. Does it work for you with 6.48beta12? To my findings the behavior did not change. ouch, s...
by vecernik87
Wed Jul 08, 2020 11:26 am
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 9
Views: 3566

Re: BUG: DNS USE ONLY DOH

Mikrotik never tried to resolve DNS from multiple servers. If first one fail, mikrotik considers it as a valid response. If you want to resolve specific domains through different server, you can use FWD entry. E.G.: /ip dns static add forward-to=10.0.0.1 regexp=".*\.example\.local" type=FW...
by vecernik87
Tue Jul 07, 2020 2:58 am
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 103
Views: 88681

Re: Winbox v3.24 released!

Based on https://forum.mikrotik.com/viewtopic.php?f=21&t=161887&p=804375#p804344 I ended up here. To reproduce: open a window like "IP firewall filters" in a router that is in active use, and make sure the hit-counts of firewall rules are being displayed (and changing all the time)...
by vecernik87
Mon Jul 06, 2020 1:33 pm
Forum: The Dude
Topic: RouterOS in bridge mode is not recognized
Replies: 2
Views: 3811

Re: RouterOS in bridge mode is not recognized

Well, you answered your problem - if the router does not have IP, then it can't be reached by TheDude. I don't think anyone can give you any better advice, because you might have no IP on purpose. If you could share your network topology, it would help to understand and possibly overcome the trouble...
by vecernik87
Mon Jul 06, 2020 1:15 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 348
Views: 171208

Re: v6.47 [stable] is released!

Still, it does not seem that many users use (or even know about) that precaution...
because 95% of us are stuck with 16MB of space... :(
by vecernik87
Mon Jul 06, 2020 11:07 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 348
Views: 171208

Re: v6.47 [stable] is released!

another bug ... when going under IP/IPSec/Policy, and opening an existing one seems to exit winbox/crash winbox. Or adding new one. You simply cannot edit/create ipsec policies using winbox on 6.47. Winbox just crashes without any error message. thaaats interesting. I just recreated from scratch ou...
by vecernik87
Mon Jul 06, 2020 2:45 am
Forum: Scripting
Topic: Torrent blocking working in y2020
Replies: 34
Views: 27274

Re: Torrent blocking working in y2020

well, if it does not work 100% then it does not really help, don't you think? I mean - what difference it makes if the download takes bit more? Idea of blocking is, that NOTHING goes through. If it still starts after a while, it likely means you missed some port or regexp part, which still gets thro...
by vecernik87
Wed Jul 01, 2020 1:26 pm
Forum: The Dude
Topic: the new dude is garbage
Replies: 3
Views: 4025

Re: the new dude is garbage

Just wait until you see 6.47 :D
by vecernik87
Tue Jun 30, 2020 5:50 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 33
Views: 12380

Re: (BUG) Dude Client crashing on device details and charts

Reported as well. Hope they will look into it. Current status simply means I can't use it at all and I don't know whether I should start looking for something else or not. Even with small bugs and lack of development, TheDude was much friendlier monitoring system than any other which I tried. edit: ...
by vecernik87
Tue Jun 30, 2020 4:55 am
Forum: Scripting
Topic: IP cloud public address into variable
Replies: 3
Views: 2406

Re: IP cloud public address into variable

print the data into console:
:put [/ip cloud get public-address]
Save into variable:
:global public_ipv4 [/ip cloud get public-address]
Enjoy :)
by vecernik87
Sun Jun 07, 2020 11:04 am
Forum: RouterOS beta
Topic: UI/UX On WinBox
Replies: 23
Views: 8664

Re: UI/UX On WinBox

Hello Dear, This has to be a troll... No troll, this type of word selection is typical for a country which I cannot name (for sake of political correctness). I hear/read this overly-friendly type almost everytime I contact an off-sourced call center or customer support. Thats simply how some people...
by vecernik87
Sat Jun 06, 2020 12:15 pm
Forum: General
Topic: DNS DoH [SOLVED]
Replies: 6
Views: 7672

Re: DNS DoH [SOLVED]

If you already did, then why are you asking?

TBH, I agree with @msatter, because If someone wants to stop me from visiting porn, they would have to physically cut the cable, otherwise I will find a way.
by vecernik87
Wed Jun 03, 2020 3:38 pm
Forum: Wireless Networking
Topic: Having a bigger dish? [SOLVED]
Replies: 3
Views: 5475

Re: Having a bigger dish? [SOLVED]

Dish size will likely increase total dBi and therefore improve your signal. However, those trees are a problem. Instead of trimming them, maybe you can put both antennas on a little mast/tower? Also make sure you have aligned your dishes properly. In terms of wireless quality, there is no magic - it...
by vecernik87
Wed Jun 03, 2020 5:07 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 348
Views: 171208

Re: v6.47 [stable] is released!

It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests. (If you want to test it, remember to flush cache before every request) Even with this little hiccup, I think it is a great u...
by vecernik87
Thu May 21, 2020 11:52 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 2483

Re: Firewall Rule not work with Microsoft DHCP server

Nobody got confused. Your computers are on the same subnet and on the same L2 segment (unless you separated them on the switch), therefore they can communicate directly between each other. Mikrotik will not even know about the communication because the switch will directly forward it to the correct ...
by vecernik87
Thu Apr 30, 2020 2:41 am
Forum: Virtualization
Topic: License rent for CHR
Replies: 8
Views: 5025

Re: License rent for CHR

Well, nobody says otherwise :D I literary confirmed the same. Also I gave an example how it would look if OP wanted to make it look like "lease" and I mentioned possible troubles which came into my mind. But the whole idea is clearly based on transfer of the perpetual licence between diffe...
by vecernik87
Wed Apr 29, 2020 6:16 am
Forum: Virtualization
Topic: License rent for CHR
Replies: 8
Views: 5025

Re: License rent for CHR

Mikrotik itself does not provide any "leasing" ability, but you can do it as you described: - You own perpetual licence, which is bound to your mikrotik account. - You install customer's CHR and assign the licence to it. Unfortunately this requires the CHR to be assigned to your account, b...
by vecernik87
Sun Apr 26, 2020 3:45 pm
Forum: Beginner Basics
Topic: Lease Expiry Causing DHCP Critical Error [SOLVED]
Replies: 23
Views: 13152

Re: Lease Expiry Causing DHCP Critical Error [SOLVED]

I thought that "sniff dhcp traffic" is clear enough. Apparently, I was wrong. Sorry for that. you need to filter it by: - interface (vlanbell or bell), please make sure you have only ONE interface selected. If you select both, you may get duplicate readings (because packet goes through VLA...
by vecernik87
Sun Apr 26, 2020 5:26 am
Forum: Beginner Basics
Topic: Lease Expiry Causing DHCP Critical Error [SOLVED]
Replies: 23
Views: 13152

Re: Lease Expiry Causing DHCP Critical Error [SOLVED]

This topic is getting to my favorite phase where I step in and ask "why the heck would you waste time, when you can simply sniff the DHCP traffic on the port?" You will clearly see if your router is asking for DHCP renew and when. You will see if there is some NAK answer or if the request ...
by vecernik87
Sat Apr 11, 2020 3:42 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: Add Basic Firewall Rule Wizard
Replies: 71
Views: 23245

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job. I am not worried about my job. I am worried about general security and about wasting mikrotik's developers time on a feature, which will not have many uses. Simplifying a firewall rule wizard such a...
by vecernik87
Thu Mar 26, 2020 5:31 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: Add Basic Firewall Rule Wizard
Replies: 71
Views: 23245

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this... In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defco...