Although when using a /128, I can't enable router advertising, so some of the benefit of VRRP is lost... I could add an explicit gateway to all hosts, I guess, but...

That fixes it... and I discover I've been setting up VRRP wrong all this time... (yet it mostly worked...)

Looking at the IPv6 neighbour list, the gateway does not appear on the VRRP interface, only the underlying interface. > /ping 2a00:xxxx:yyyy:2b::1%external ... echo reply > /ping 2a00:xxxx:yyyy:2b::1%vrrpexternal ... no route to host > /ipv6 route check ::0 status: failed With no IPv6 assigned on th...

Hi, I'm using VRRP to provide a virtual IP for my upstream to route traffic to. That bit is working fine for IPv4, and inbound is fine for IPv6. However, with the IPv6 address assigned to the VRRP interface, RouterOS claims that there is no route when trying to use the default route. If I switch the...

Good news, my hAP lite which refused to update to 6.44.5 due to space was able to successfully update to 6.44.6! No need for a netinstall.

at 6.45.1, gre tunnels stopped working. Redid all 15 routers on ip tunnels. 3 weeks after the release of 6.45.2, the ip tunnels stopped working .... Exactly the same here ! Upgraded from 6.42.7 to 6.45.2 on a CCR1036 and all the GRE tunnels stopped working. Ok I know that the Mikrotik guys can't te...

[*] it is possible to have two (or more) ROS versions installed in unit has flash storage with size of 64MB or more. In this case, one can partition flash to two halves and run different version of ROS in both partitions. If ROS crashes or fails to boot from one partition, it'll automatically try t...

So i also can go from 6.44.3 (stable) to 6.44.5 (LT) without any major changes/problems ?

You can review the changes for 6.44.4 and 6.44.5 to determine if any of them will affect you?

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.

You have set strong-crypto=yes? I think it depends on that setting.

Yes strong-crypto=yes was already set.

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.

Can you be more verbose? "initiator" is a role of an IPsec peer, but there is no "initiator/responder" or "client/server" role related to GRE, both ends of the tunnel are sending no matter whether the remote end responds or not and no matter whether a corresponding IPs...

Hmm, weren't the IPv6 route cache size fixes already in 6.43.14?

I've been trying to set up routing failover by following information from here: https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting While the gateway-status of the Host1 route is reachable, however the gateway-status of the default route via Host1 says "Host1 unreachable&...

Sad to see this still here which is not good for anyone using radius to provide 2FA.

!) radius - use MS-CHAPv2 for "login" service authentication;

Hmm, not sure about 6.0

On the VMware knowledge base: https://kb.vmware.com/s/article/2151480
Found via https://www.linkedin.com/pulse/linux-vi ... -yong-lim/

This is a bug in ESXi 6.5. It should be fixed by upgrading to 6.5 U1.

I'm using layer7-protocol filtering on ipv4 and this is working fine, however it is not possible to use with ipv6 yet. Is this on the roadmap and likely to arrive in v6's lifetime?

Well you guys did want a security blog and more awareness. Now you complain that the issues are not serious enough :D We will try to find a balance. The issue is you need to provide a little more information please. Adding the CVSS score would be useful, along with information about mitigations (fi...

Oh wow, that was quick, thanks. This makes sense, only a few weeks ago I changed one of the tunnels to be ikev2. For now I will switch back to ikev1. I suppose it will need a reboot to resolve the problem.

I have a pair of CCR1036-12G-4S running for about a year now, running 6.40.8 with firmware 3.41. Today one of them is showing a constant 50% CPU usage instead of the normal 3-4%, but traffic levels are low, currently around 2-4Mbit/s and 500-1000 pps. /tool profile NAME CPU USAGE console 0% firewall...

Hi, I'm also using PAP with radius for authentication to support 2FA logins. Using only chap is not helpful. Is feedback here taken on board or is there a more official way to get this heard?

I'm getting the same error message connecting to a Checkpoint VPN. Did you find a resolution, digit?

Hi, I'm looking to use a Mikrotik to connect to a Checkpoint (9.6(2)) IPSec VPN. The set up will be with dh-group 19 so I plan to use RouterOS 6.42.2 for this as bugfix does not have the ecc dh-groups. Anyone have positive/negative experience trying to tie these two together? I see a couple of negat...

Hi, Please could we have full command logging (with sensitive information preferably hidden) of actions performed by administrators. The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed. [This is not a key...

Great news!

Thanks.

I have a VPN requirement that specifies that DH19 must be used. Are these ECC modes ever likely to available? Performance is not overly a concern as the data to be transmitted is only small.