Community discussions

MikroTik App

Search found 27 matches

by petern
Sun Feb 09, 2020 1:39 pm
Forum: General
Topic: IPv6 outbound static route via VRRP
Replies: 5
Views: 1114

Re: IPv6 outbound static route via VRRP

Although when using a /128, I can't enable router advertising, so some of the benefit of VRRP is lost... I could add an explicit gateway to all hosts, I guess, but...
by petern
Sun Feb 09, 2020 12:19 am
Forum: General
Topic: IPv6 outbound static route via VRRP
Replies: 5
Views: 1114

Re: IPv6 outbound static route via VRRP

That fixes it... and I discover I've been setting up VRRP wrong all this time... (yet it mostly worked...) :shock: :?
by petern
Sat Feb 08, 2020 6:47 pm
Forum: General
Topic: IPv6 outbound static route via VRRP
Replies: 5
Views: 1114

Re: IPv6 outbound static route via VRRP

Looking at the IPv6 neighbour list, the gateway does not appear on the VRRP interface, only the underlying interface. > /ping 2a00:xxxx:yyyy:2b::1%external ... echo reply > /ping 2a00:xxxx:yyyy:2b::1%vrrpexternal ... no route to host > /ipv6 route check ::0 status: failed With no IPv6 assigned on th...
by petern
Sat Feb 08, 2020 1:24 pm
Forum: General
Topic: IPv6 outbound static route via VRRP
Replies: 5
Views: 1114

IPv6 outbound static route via VRRP

Hi, I'm using VRRP to provide a virtual IP for my upstream to route traffic to. That bit is working fine for IPv4, and inbound is fine for IPv6. However, with the IPv6 address assigned to the VRRP interface, RouterOS claims that there is no route when trying to use the default route. If I switch the...
by petern
Mon Oct 28, 2019 6:30 pm
Forum: Announcements
Topic: v6.44.6 [long-term] is released!
Replies: 54
Views: 44174

Re: v6.44.6 [long-term] is released!

Good news, my hAP lite which refused to update to 6.44.5 due to space was able to successfully update to 6.44.6! No need for a netinstall.
by petern
Mon Jul 29, 2019 11:12 am
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 47841

Re: v6.45.2 [stable] is released!

at 6.45.1, gre tunnels stopped working. Redid all 15 routers on ip tunnels. 3 weeks after the release of 6.45.2, the ip tunnels stopped working .... Exactly the same here ! Upgraded from 6.42.7 to 6.45.2 on a CCR1036 and all the GRE tunnels stopped working. Ok I know that the Mikrotik guys can't te...
by petern
Thu Jul 25, 2019 11:37 am
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 47841

Re: v6.45.2 [stable] is released!

[*] it is possible to have two (or more) ROS versions installed in unit has flash storage with size of 64MB or more. In this case, one can partition flash to two halves and run different version of ROS in both partitions. If ROS crashes or fails to boot from one partition, it'll automatically try t...
by petern
Thu Jul 11, 2019 12:32 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 48562

Re: v6.44.5 [long-term] is released!

So i also can go from 6.44.3 (stable) to 6.44.5 (LT) without any major changes/problems ?
You can review the changes for 6.44.4 and 6.44.5 to determine if any of them will affect you?
by petern
Wed Jul 10, 2019 6:57 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 48562

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
You have set strong-crypto=yes? I think it depends on that setting.
Yes strong-crypto=yes was already set.
by petern
Wed Jul 10, 2019 6:07 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 48562

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
by petern
Tue Jul 02, 2019 5:08 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 111926

Re: v6.45.1 [stable] is released!

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPsec policy is available or not,...
by petern
Mon May 13, 2019 2:02 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 8133

Re: v6.43.15 [long-term] is released!

Hmm, weren't the IPv6 route cache size fixes already in 6.43.14?
by petern
Fri Sep 28, 2018 6:11 pm
Forum: General
Topic: Routing Failover without Scripting
Replies: 3
Views: 864

Routing Failover without Scripting

I've been trying to set up routing failover by following information from here: https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting While the gateway-status of the Host1 route is reachable, however the gateway-status of the default route via Host1 says "Host1 unreachable". 0 S...
by petern
Mon Sep 10, 2018 11:03 am
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 35386

Re: v6.43 [current] is released!

Sad to see this still here which is not good for anyone using radius to provide 2FA.
!) radius - use MS-CHAPv2 for "login" service authentication;
by petern
Tue Aug 28, 2018 11:16 am
Forum: General
Topic: BUG: CHR kernel panic - ESXi 6.5 using VMXNET3 network driver
Replies: 5
Views: 1642

Re: BUG: CHR kernel panic - ESXi 6.5 using VMXNET3 network driver

This is a bug in ESXi 6.5. It should be fixed by upgrading to 6.5 U1.
by petern
Thu Aug 23, 2018 1:24 pm
Forum: General
Topic: No layer7-protocol on ipv6?
Replies: 1
Views: 688

No layer7-protocol on ipv6?

I'm using layer7-protocol filtering on ipv4 and this is working fine, however it is not possible to use with ipv6 yet. Is this on the roadmap and likely to arrive in v6's lifetime?
by petern
Thu Aug 23, 2018 11:16 am
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 37035

Re: v6.42.7 [current] is released!

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough :D We will try to find a balance. The issue is you need to provide a little more information please. Adding the CVSS score would be useful, along with information about mitigations (fi...
by petern
Sat Aug 11, 2018 12:33 am
Forum: General
Topic: CCR1036 - 50% cpu usage
Replies: 3
Views: 772

Re: CCR1036 - 50% cpu usage

Oh wow, that was quick, thanks. This makes sense, only a few weeks ago I changed one of the tunnels to be ikev2. For now I will switch back to ikev1. I suppose it will need a reboot to resolve the problem.
by petern
Fri Aug 10, 2018 11:54 pm
Forum: General
Topic: CCR1036 - 50% cpu usage
Replies: 3
Views: 772

CCR1036 - 50% cpu usage

I have a pair of CCR1036-12G-4S running for about a year now, running 6.40.8 with firmware 3.41. Today one of them is showing a constant 50% CPU usage instead of the normal 3-4%, but traffic levels are low, currently around 2-4Mbit/s and 500-1000 pps. /tool profile NAME CPU USAGE console 0% firewall...
by petern
Mon Aug 06, 2018 11:56 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 132941

Re: v6.43rc [release candidate] is released!

Hi, I'm also using PAP with radius for authentication to support 2FA logins. Using only chap is not helpful. Is feedback here taken on board or is there a more official way to get this heard?
by petern
Tue Jun 26, 2018 3:44 pm
Forum: General
Topic: IPSec error payload missing: ID_R
Replies: 6
Views: 4477

Re: IPSec error payload missing: ID_R

I'm getting the same error message connecting to a Checkpoint VPN. Did you find a resolution, digit?
by petern
Thu Jun 21, 2018 1:30 pm
Forum: General
Topic: Mikrotik to Checkpoint IPSec VPN
Replies: 0
Views: 608

Mikrotik to Checkpoint IPSec VPN

Hi, I'm looking to use a Mikrotik to connect to a Checkpoint (9.6(2)) IPSec VPN. The set up will be with dh-group 19 so I plan to use RouterOS 6.42.2 for this as bugfix does not have the ecc dh-groups. Anyone have positive/negative experience trying to tie these two together? I see a couple of negat...
by petern
Tue Feb 20, 2018 6:11 pm
Forum: General
Topic: Feature Request: Logging of all administrator user actions
Replies: 22
Views: 7378

Feature Request: Logging of all administrator user actions

Hi, Please could we have full command logging (with sensitive information preferably hidden) of actions performed by administrators. The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed. [This is not a key logger! ;...
by petern
Tue Feb 20, 2018 5:57 pm
Forum: General
Topic: Feature Request: Idle timeout for ssh/http(s)/winbox
Replies: 1
Views: 730

Feature Request: Idle timeout for ssh/http(s)/winbox

Hi,

Could we please have the ability to have user login sessions subject to a configurable idle timeout?

PCI DSS Requirements
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
by petern
Fri Jan 19, 2018 6:58 pm
Forum: General
Topic: Feature request - Diffie Hellman groups 19-21
Replies: 6
Views: 2524

Re: Feature request - Diffie Hellman groups 19-21

Great news! :-)

Thanks.
by petern
Wed Dec 13, 2017 6:04 pm
Forum: General
Topic: Feature request - Diffie Hellman groups 19-21
Replies: 6
Views: 2524

Re: Feature request - Diffie Hellman groups 19-21

I have a VPN requirement that specifies that DH19 must be used. Are these ECC modes ever likely to available? Performance is not overly a concern as the data to be transmitted is only small.