MikroTik

frank333

I read somewhere that someone managed to unlock the Lenovo computer version.

frank333

How long have you been using it , does it respond to all AT commands?

frank333

the counter indicated by the arrow in the image below, what does it refer to?

interface.jpg

frank333

log.jpeg

on rbm11 scripts with fetch still do not work, I have reverted to 7.12.1

frank333

I have downloaded it and posted it here: https://mega.nz/file/5HQUnBrT#XkOAXngWR ... 1R84yTb0fQ

frank333

you must register

frank333

I found this if you can use it https://techship.com/download/l860-gl-f ... and-guide/

frank333

yes it doesn't make sense, try updating the firmware first (I only found the update tool but not the update file) then try a different usb2 adapter , covering the pins with tape doesn't seem like a good solution to me.

frank333

I can't tell you exactly why certain adapters with usb3.0 connector connected to the router's usb3.0 don't work.I also had the same problem (with em160 modem), I replaced the 'adapter with a usb2.0 one and it worked.Try it cost a few euros on aliexpress

frank333

you have to use a pci-e usb2.0 adapter the pinout on usb3 adapters does not power the modem.

frank333

to me ,it no longer works using firefox ,chromium and ROS 7.12.1

frank333

/ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comme...

frank333

ok now everything is clearer to me. thanks @mkx and @pe1chi

frank333

ok tonight I will try , and then I will report back if I still have problems .

frank333

Schermata del 2024-02-09 14.00.28.jpg

@erlinden ,
The rule set seems complete to me, what should I enter?

frank333

OK, but the forward traffic is the traffic generated between the two interfaces, so I think something in my internal network is trying to open a port on the router to communicate directly to the outside and is being blocked.

frank333

ok , but if they are reported it means that something is not working in the firewall . what could it be.

frank333

I keep getting these kinds of alerts, how can I fix it?

forward.png

firewall.rsc

frank333

I had already tried but it does not work

frank333

is enabled. I get this from the logs: fetch,info,debug Download from https://api.telegram.org/bot42558852236:AAR_pTRe0CjksgfdydhdncbvfdtY4/sendMessage to RAM FAILED: Fetch failed with status 400 My Telegram script works fine in v7.13 :global tgFunc do={ :do { :local BotToken "XXXXXXXXX:XXXXXXX...

frank333

scripts that include the fetch command for telegram
user policy "ftp" is enabled?

is enabled.
I get this from the logs:
fetch,info,debug Download from https://api.telegram.org/bot42558852236 ... endMessage to RAM FAILED: Fetch failed with status 400

frank333

I tried 7.13 on RBM11g but the scripts don't work anymore!
What script?

PS Do add image to the post use Attachements when in full post mode. Link to other site may go away.

scripts that include the fetch command for telegram

frank333

I have updated my RB5009 and my CRS326-24G and my scripts for Telegram are not working as expected. I am not getting any message more than the download message with the Chat ID. I will be rolling back to version 7.12 if this not going to be fixed quickly by Mikrotik It would be interesting to under...

frank333

I tried 7.13 on RBM11g but the scripts don't work anymore!
I tried uninstalling the wireless package and downgrading to 7.12.1 but it doesn't work .
How did you guys do the downgrade?

frank333

sertik,
I thought you also , you have 5G DSS which is a very bad system that basically uses the LTE band and gives priority of use to 5G devices . Basically a fake 5G

PS the fibocom L850-GL can be found at 740 rubles really affordable!|

frank333

@Sertik from version 7.11 in the changelog it says this *) lte - added "at-chat" support for Fibocom L850-GL modem; so it should be compatible . If you can though look for a 5G modem as it has bandwidth priority over the bts repeater ,and so with an LTE module you would always have lower p...

frank333

@marcelofares
I have included a short video for you to understand how to download an updated certificate
http://www.videosprout.com/video?id=8d6 ... 1cee4d20e1

frank333

It is sad. But on all pieces of hw under the control of ROS 7. today they turned off the use of DoH. Errors keep popping up! It's time to admit to the support service that it doesn't work stably. install docker on ROS 7 (if you have enough memory) and then pihole or dnsguard and manage the DoH easi...

frank333

@xristostsilis,
you could try with a M11G routerboard (30€) to put the tw99w175 modem the adapter and the 4 pcb antennas

frank333

I was also interested in the modem t99w175 but after several searches , I had found information that it must be unlocked and that it does not work with the usb mode. https://www.rework.network/products/t99w175-5gnr-m-2-modem-plug-from-lenovo-flex-5g Should try it costs 70 euros on aliexpress ; it ha...

frank333

foxconn t99w175 have 5G,eSIM,beter carrier aggregation Did it work? I have ordered an LHGG but I already have this modem and I would like to know if the upgrade works t99w175 works only in PCI mode so it is unsuitable to be mounted on routerboards. Keep the LHG lte18 with its original module from r...

frank333

I have updated my RBM11G to ROS 7.10.2 stable.
Unfortunately this feature has not yet been implemented
which is instead present in the 7.10 testing version.
The wide view was introduced only in 7.11beta2.

a pity , it would have been very useful for Webfig users.🥲

frank333

I have updated my RBM11G to ROS 7.10.2 stable.
Unfortunately this feature has not yet been implemented

Schermata del 2023-07-13 14.53.23.jpeg

which is instead present in the 7.10 testing version.

frank333

With webfig you can no longer see the data clearly, every time you have to open the submenu. Even when writing scripts, the input form is really painful. I wonder why when there is a functional interface it is always changed to a nonsensical one. The remove and run script buttons are too close toget...

frank333

firewall.rsc filter.jpeg raw.jpeg No attacks or problems so far, but it has been a few hours. I hope I have restored the firewall to the default configuration. If anyone has ROS7.9 can you compare it with the images above ? (I tried reading the default script internal to RoS7.9 but couldn't find an...

frank333

well;
i will also remove the BAN lists,
i was thinking of doing a script with /ip firewall filter remove and rewriting the default rules written in your post but i don't want to lose access and connection .
I will rewrite everything by hand tonight.

frank333

re:The log is clear, the SCTP comes from outside, not inside, with wireguard you see nothing..... I thought that if there was a webrtc communication between lan and external you could see it by listening on the router's ethernet interface (but you're right, I started an online webrtc test and it did...

frank333

ok, I'll do an export (text-only ) of the configuration, scripts and modem settings. Then I'll do a total reset so at least I have the firewall with the default rules; then I'll add what's missing by hand. I don't see any other solution. A nice button to reset the firewall back to basics would not b...

frank333

/ip firewall filter add action=drop chain=input comment="Winbox on WAN" dst-port=8291 \ in-interface=lte1 protocol=tcp add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=i...

frank333

Schermata del 2023-05-05 08.05.24.jpeg so far nothing has disconnected. and the logs are clean. @rextended ,you were being ironic when you said in the post above that it's a bts problem. :lol: This was a full blown DDos attack then! Schermata del 2023-05-05 08.15.07.jpeg Schermata del 2023-05-05 08...

frank333

@pe1chi
so I'd better go back to the simple default rules and block the sctp protocol from there.
As far as activating a scpt client is concerned, I really don't know, I've always had the same devices and services, only recently have I got that report

frank333

@rextended yes I put rules to accept ICMP and UDP, TCP in the right sequence. (I thought that following your directions would refine the 'action of the firewall; but if they are of no use why you who have more experience than me wrote them ? :lol: ) @pe1chl So I would do well to delete them ? I hav...

frank333

@Larsa,
So far I haven't noticed any slowdowns or massive cpu commitments(I have at max 7-8 %) .
Thank you for the information

frank333

@frank333, just a suggestion: at our home office we use a simple design philosophy "keep it as simple as possible" with only a few well-chosen and commonly used patterns for sabotage, intrusions and port scanners that end up permanently in a BAN list. The first rule in the raw chain check...

frank333

Schermata del 2023-05-04 15.04.17.jpeg

in this way all protocols other than tcp are filtered out.
and thus any service port activity is disabled ?

port.png

tnx
I will check for a few days and write here

frank333

ok
I did as you said,

raw.png

So it's just a firewall indication and not an external attack? I also have an alert with prot. 41.

frank333

@Larsa,
I noticed activity from the flagsattack rules counter in the RAW section.
fasttrack rules are disabled.

frank333

EDIT
Btw, there are also two "protocol=!tcp" in sequence.

the second rule is disabled

add action=drop chain=prerouting comment="Unused protocol protection" \
    disabled=yes protocol=!tcp

frank333

@larsa, Yes the rules seem to be working , but the problem is that after the log message the modem and sometimes the router restarts.Before there were scpt protocol messages now there are those on ipv6 . In firewall the service port I have three services that I can not disable scpt,dccp,udplite but ...

frank333

@larsa
I essentially used the default RoS rules and added rextended raw rules. I thought the firewall was sufficiently configured

frank333

the strange logs continue with the next reboot of the router, I switched to 7.9 stable.

Not TCP protocol prerouting: in:lte1 out:(unknown 0), connection-state:invalid src-mac c6:e0:42:92:21:52, proto 41, 192.88.99.1->151.58.128.200, len 76

frank333

No, del ponte LTE...

as you can see from my export I used your configuration against flags attack and changed the TTL with the rule in prerouting (would it be better to move it to postrouting?) The problem is that now, after that 'error the router reboots.

frank333

@Larsa here is the firewall configuration,

firewall.rsc

@rextended the IPs starting with 47 139 39 202 are not mine; 151.... is my IP on windtre. is this a problem with my modem?
(Quindi è un problema del mio modem ?)

frank333

i have an rbm11g with ROS 7.8 stable and an LTE module . in the log file i get about 10 messages a day with this wording: Not TCP protocol prerouting: in:lte1 out:(unknown 0), connection-state:invalid src-mac c6:e0:42:92:21:52, proto 132, 39.98.186.94->151.15.109.102, len 52 I checked the firewall s...

frank333

@anav, 1) those rules (some are disabled) are pecedent to those of PCC and are used to direct the traffic of some devices with fixed ip (managed by dhcp server) exclusively to a specific WAN. 2) I didn't understand your problem with dynamic ip's. ---- In dhcp server I reserved static addresses for s...

frank333

but in the LHG LTE18 there is a very good quectel EG18 , which works perfectly with ros7. Why do you want to change it? you would lose in performance , automatic firmware update and manufacturer warranty.

frank333

@evbocharov,
so you also noticed that this :

prioritize.png

does not always correspond to the truth ?

frank333

When i reconfig default settings DNS MT now is stable, without errors in log. Your scheme is crutch. I use dhcp server in MT. I didn't quite understand if you resolved , or not. I ask you this , if you simulate the DoH dns drop ; does your LAN still resolve addresses ( and if so, what dns does it u...

frank333

@evbocharov, if you have a router with a lot of memory you can install docker on (or a raspberry) RoS 7.6 and following and run pihole or adguardhome and you can configure a lot of alternative dns I did that: doh.png it is really all very simple. But I still have some problem in ros ,from dhcp lease...

frank333

If you want to learn more about certificates type in a search engine : What digital certificates are and how they work. And you will find many guides that explain the mechanism more or less in a complex way. Essentially what I can tell you in a few words and with my little experience ,is that digit...

frank333

ok I got it, thanks again for all the valuable information you gave me !!!

frank333

OK. Since the rule assigning the routing mark SSTP is the last one, nothing can rewrite that routing mark.

So by moving it on top of the rules that mark wans, could it mark SSTP traffic correctly ?

frank333

so my isp's ip stays visible for 5 minutes.

I corrected it above. It was a copy paste error.

frank333

yes the script that interrupts for 5 minutes seems to work, I have no alternative, the connection of the host remains unencrypted for that period but it's not a problem. yes the drop rule I disabled it immediately after use. here are my mangle rules /ip firewall mangle> print Flags: X - disabled, I...

frank333

was automatically reactivated within seconds.

frank333

droprule.png mark sstp _manglerule.png connection firewall.png dnsquery.png The good news is that the script of Amm0 modified with a delay of 300s between disable and enable works fine, this morning I found the vpn perfectly connected, but I don't find any traffic marked SSTP; in firewall --->conne...

frank333

sstpfirewall.png snif2.png the rule of the firewall does not work as you can see from the counter that remains at zero, I waited 10 minutes but nothing happened, then I disabled by hand sstp-out1 and the script after a few minutes has reconnected and wireshark has obtained what you see above, I not...

frank333

sniff1.png /ip firewall filter add chain=output protocol=tcp src-port=37008 dst-port=443 dst-address=146.70.118.54 action=drop This rule above I put it at the end of all the others at firewall . Now things get complicated ... I set it up the way above; the mikrotik runs all the sniffed traffic on m...

frank333

sniff.png I started sniffing, filtered on ports 443 and 53 but for now wireshark didn't catch anything even if I tried to open https pages. If I don't do port filtering I see all the traffic and I found out that I'm connected to this ip 146.70.118.54 (free-de.hideservers.net) and not to nl.hide.me ...

frank333

as you may have seen from the logs I had several interruptions, in fact I turned off and restarted the vpn several times, but it always resumed, I turned off and restarted the LTE connection in order to change ip several times but it always resumed. My belief is that only when a particular event ha...

frank333

@Amm0, ok now I understand for V6 ...V7 version ; I would like to switch to V7 on RB3011 but I have read too many negative experiences . This morning I found the vpn disconnected despite the script , I manually relaunched the script but it didn't work . I disabled the sstp-out1 interface for about 1...

frank333

@Amm0,
The script works perfectly , reactivated the connection correctly

, let's see tonight what happens.
I did not understand this: edit: V6 = use spaces...

frank333

@sindy I modified the script in the two ways below but it still doesn't work :if (((interface sstp-client monitor sstp-out1 once as-value)->"status") != "connected") do={/interface set sstp-out1 disabled=no} :if (((interface sstp-client monitor sstp-out1 once as-value)->"sta...

frank333

hello sindy, I put this line in scheduler every minute

:if ([interface sstp-client monitor sstp-out1 once as-value]->"status") != connected do={/interface set sstp-out1 disabled=no}

but it returns sintax error

frank333

The vpn this time crashed (and did not reconnect) overnight so I could not log . Now I use a remote syslog and I hope to capture some information. From the logs I've updated here https://forum.mikrotik.com/viewtopic.php?p=974001#p974001 I've seen that yesterday it reconnected successfully , then I ...

frank333

nothing won't disconnect, I'll start again in the morning if the log buffer is totally full ,for now thanks for the support

frank333

ppp.png

it gives an error in the logs but it has connected correctly in ipv4 i have an ip 222.x.x.x

frank333

no, I'm not using ipv6 (I don't even have the package installed), in PPP--->Profiles I can't find the entry for IPV6; however the connection has not been disconnected yet

frank333

This is the startup log , I will post below the one when it crashes, Dec 26 12:58:27 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP lowerup Dec 26 12:58:27 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP open Dec 26 12:58:28 x.x.x.x logger sstp,ppp,debug sstp-out1: LCP timer Dec 26 12:58:29 x.x.x.x logge...

frank333

@Amm0, On the RB3011 I had a l2tp connection that worked for several years without problems and always rebooted automatically. Now with the sstp my problem is only to restore the connection because it NEVER reactivates automatically. This below is the manual procedure that I followed and that has on...

frank333

@Amm0, If I connect to the vpn through ubuntu the connection never drops (I tried from 7 to 24) if I make a connection with Ros instead it can remain active 4-5 hours and sometimes a few half hours or 1 hour. When the connection drops the connection does not recover more I waited a day but nothing h...

frank333

hello sindy, I did not quite understand what to add in netwatch since the 'address of the host sstp is dynamic and therefore changes with each connection, I messed around a bit with the script :if ... but I did not get anything. As I wrote the vpn is free and I think the disconnection is due to some...

frank333

Hello, yes, I've already done so, but if there was the possibility would have been very convenient.

frank333

@normis,
how could you do to ensure the continuity of the encrypted DNS on a second DoH (a kind of failover...)?

frank333

@broderick,
I rarely have disconnections ,even when downloading at full speed( I have a script that constantly checks the gateway). The problem is only for the vpn I would need a system that monitors the traffic and if during a predetermined time this fails it restarts the vpn.

frank333

I managed to make this script which I put in scheduler in 1 minute cycles , but it doesn't work well because it reactivates the vpn as soon as there is no traffic but the vpn didn't disconnect. /interface monitor-traffic sstp-out1 once do={ :if ($"rx-packets-per-second" = 0 ) do={ /interfa...

frank333

@anav hello, I have ros 6.48.6 ; dinamic ip, and a fairly stable 300/100 LTE connection. The vpn only allows SSTP or IKE2 it is very fast it has low latency but it disconnects random I think it is not due to a wrong configuration because the provider has published a specific setting page for mikroti...

frank333

@orangutan,
it would be nice if it worked fully i.e. maintained redundancy on a second DOH , for now I solved with adguard on docker ; to which via dhcp ,I route the traffic of some clients on my lan.

frank333

I have a connection to a free vpn that works very well, but has the odd bug of randomly disconnecting after about 8 hours. I tried to create a little script in netwach by pinging the gateway of the vpn, but that only works once, then the IP of the gateway changes and netwacth doesn't work anymore; a...

frank333

@evbocharov It is commendable mikrotik's initiative to make simple explanatory videos or mini courses on basic settings. As far as it comes to disabling the DNS server on the router I think it shouldn't happen because in case the remote DNS fails it can switch to a second alternative DOH server. Thi...

frank333

thanks for the info, and since you can't put reactions to every post I'll put them here

frank333

@Josephny,
I hate windows ; but you can use the graphical version called zenmap if you are scared of the command line.

frank333

nmap -sn -T5 -A -v 8.8.8.8

frank333

With ros 7.6 I tried to write a script directly in Scheduler and this works.
I ask is it correct to do this or what problems might it bring?

frank333

I found this opensource script, which works great on RBM11g em160 ros 7.6 : https://github.com/filimonic/mikrotik-s ... d-telegram
thanks to the author!!

frank333

Exactly, and also on some smartphones the qrcode is not read at all by the normal application of the operating system. L 'app provider then reads in an encrypted way the qrcode sends the chip esim only one or two times and in case of failure or change smartphone must repurchase a new qrcode.

frank333

Just click on the link and read the page!

pe1chi

I read the page and it seems obvious that the provider provides the numeric code.
I asked further, because in my case no numeric code is provided but only an encrypted qrcode readable only by a special app.

frank333

LPA:1$ee.pr.go-esim.com$ would be the provider?
do you find the activation code on the paper sheet provided by the provider ; or did you extract the code from the qrcode ?

frank333

It is very interesting to create two partitions, I have 85 MB out of a total of 128. I've read the manual a little bit but it doesn't explain in detail how to do it and I would surely mess up, I'll open a post to get some advice.

frank333

ok, I'll ask again in a few posts on the DoH if anyone still had problems and then I think I'll update (hoping not to use netinstall and revert to the previous version)

frank333

@pe1chl , I've read several posts on the forum about DoH; but with ros version 6.49.2 it's not clear to me if in case of doh block the router continues to work with unencrypted dns. I also read that someone has chosen the longterm version 6.48.6 preferring it to the stable version. I'm gripped by do...

frank333

@eworm tnx, i could continue to use l2tp , do you know if there are any problems also for DoH ?

frank333

Good morning,
I have a rb3011 with ros6.46.8 and a configuration with dual wan in load balancing,
I would like to upgrade to 6.49.2 to take advantage of wireguard and DoH .
Someone who has tried can confirm or not the success?

frank333

I solved by forwarding port 8443 !!!! script on the LTE router and should be scheduled every 4-5 minutes --------------------------------------------------------------------- #temperature read by another script :global temp2 #temp value transfer to domoticz on idx27 through NAT port 8443 :global url...

frank333

having memory, there is portainer.io, should be installed as a normal docker image, and provides a simple graphical interface to install all the images you want. you can customize the run commands, extensions, ports, volumes, etc..

frank333

I have the same problems as you, i.e. the command from the browser works, while via script it doesn't work I think it's a syntax problem and I can't find any information.

frank333

Does it require root to change the mac address?

yes

frank333

@sindy the mac address does not appear in any vendor list online, I noticed that turning off and on the router, the mac address changes. I have not yet done the test with the passtrought because I read on another forum and from an example of sib that the provider does not have the macaddress to reco...

frank333

for the mac address I have not found any reference if it is really a quectel ; ok then I will try tonight to do some tests and write here the problems

frank333

mac address quectel modem 5E:FB:9B..

I would probably start something very complex because: the lte router currently already passes data through a vlan on a switch, to a wan port of a second router .
tnx for info.

frank333

@sindy the mac addres to clone starts with 90:FD:73... I changed the macaddress of the smartphone with the apk Mac Address Ghost . I don't want to use the smartphone but a routerboard rb11g pass.png so using passthrough all routerboard settings are excluded and it works as only lte extension for ano...

frank333

If we really talk about MAC address change, not an IMEI change, it might be possible to use the LTE in passthrough mode and change the MAC address on the Ethernet interface of the external router connected to the LTE one. the imei i can change it but, what i am interested in is the macaddress the c...

frank333

I want to change macaddress to lte interface. I have a routerboard with a quectel em160 lte modem, the telephone operator to which I am subscribed provides me with a bad router and binds me to use that using the macaddress. If I use another lte router the connection works for 10-15min and then falls...

frank333

....BTW, I disagree with your statement that it's a tiny proportion of customers, I imagine a good percentage of customers would need to climb on their roof at some point. I was up there just 2 days ago when one provider was doing tower maintenance and I need to get up there again to get the sim ba...

frank333

it's a pity, in italy mikrotik products are much sought after at this time but you can't find anything. despite everything you can find all ubiquity products. I don't want to argue but I need a rb5009 and I'm forced to wait until mid-November or buy another brand.

frank333

I would be interested in these two modems simcomm SIM8200EA-M2 (290€) and especially foxconn T99W175 (189€) .
I have written to retailers but they can't tell me if they are compatible with Ros and quectel 5G modules have crazy prices!

frank333

thanks deadkat,
i found other interesting models.
I think that the problem of many unsupported modules is that of limited space in ros, but you could create versions with only sierra drivers or only quectel or only telit to make them compatible with any hardware.

frank333

on the quectel forum there is a way to update the firmware, but maybe you have to take out the modem.
I have the problem instead of going back from 7.1.rb6 to the original firmware 7.0.3 stable chateau is nowhere to be found.

frank333

This page has very old models, https://wiki.mikrotik.com/wiki/Manual:Peripherals I am almost sure that all quectel modems are ros compatible, but they are very expensive, have bugs and quectel support is very bad. On the other hand, there are cheap modems like fibocomm , telit , dell etc that could ...

frank333

I assure you instead that we use an LTE connection is very important, because it would allow the transition to a backup eSIM or choose the cheapest plan. I have a quectel modem that can hold several eSIMs but I can not extract the certificate insertion seems easy because you can also use a command A...

frank333

it would be interesting to have an eSIM, here in my country it is possible to request it but the problem is to pass it to the modem, as the certificate is provided via a qrcode and a smartphone app

frank333

novità.png

interesting device, any info?

frank333

The version that doesn't give problems . Many people say it can be a power supply issue try checking the voltage with this command /interface lte at-chat lte1 input=AT+CBC before and during aggregation. Several sellers on aliexpress say they have solved the problem with a new update try contacting q...

frank333

the censored parts do not have any special characters or spaces they are only letters and numbers, I also tried to convert the whole string http://10.100.0.... with an on line urlencoder but it does not work. the script does not create any url variable in Environment. I have Ros 7.1rc1.

frank333

yes that's it, that script sends a telegram message if the modem temperature is above 55 degrees and monitors the temperature every minute. My problem, however, is to send that string http: //10.100.0.202 .... and retrieve the temperature from the temp2 variable. i can't find documentation for scrip...

frank333

no if I enter a value it does not work. I think it's not a problem with the variable but with the way fetch works. Here is the script :set temp1 55 :global temp (:tostr(:put [/ interface lte at-chat input="at+qtemp" lte1 wait=yes as-value])); :global tempstring ([:pick $temp 0]); :global t...

frank333

temp2.png

I modified the script like yours above but it still doesn't work.
temp2 is a global variable obtained from another script every minute

frank333

:local url "http://10.100.0.202:8080/json.htm?username=xxx&password=xxx&type=command&param=udevice&idx=27&nvalue=0&svalue=" /tool fetch http-method=get http-header-field="content-type:application/json" url=$url $temp2 I have modified it this way but the s...

frank333

I wanted to monitor with domoticz the temperature of a modem on a RBM11 routerboard. I detect the temperature of the modem with a script that is saved every minute in the variable temp2. with the command via browser http://10.100.0.202:8080/json.htm?username=xxx&password=xxx&type=command&...

frank333

on rbm11 it works fine it loaded without any problems . I will update this post with any problems I encounter. 71.png some % characters remained in some webfig windows. in webfig firewall and others, these columns can no longer be adjusted. LTE cell scanning has been reduced to two, with the old 7.1...

frank333

great mikrotik!! now i try to install it on the little rbm11

frank333

If the modem is an ES version, the problem rarely occurs. (serial up to .100) What version of modem do you have?

frank333

it seems that the problem is due to the modem version.
I have the Engineer sample version and this error appears very rarely.

frank333

It contains the fixes for Frag Attacks: https://blog.mikrotik.com/security/fragattacks.html

@ Guntis
hi, can you give us a preview of the new release?

frank333

It depends on the staff, I think, if they are full they can do it.
https://help.mikrotik.com/docs/display/ ... col+Status

frank333

error.png

after a disconnection, the router reconnects 1 second later; but the indication connect failed remains in the interfaces lists menu. this should be reported as a bug. rbm11g modem em160

frank333

Perform a Netinstall and then check again...
https://wiki.mikrotik.com/wiki/Manual:Netinstall

ok!.seems to work now on rbm11g ROS 7.06 tnx

frank333

@ Easen
so reverting to beta 5 no longer has the problem you had in the first post.So I'll try.

frank333

I can add another RB2011 ...

I have the same problem as you how did you solve it?

frank333

with 7.1beta6 on rbm11g on shutdown it crashes, I have to log in with winbox.
how did you solve it? using netinstall? or updating from win box menu?

frank333

1.png

in routerboard RBM11G in IP routes and in nexthopes the % sign appears should be reported

frank333

I wrote in this post because the only way to contact you, I tried several times in telegram but the account seems off, I will delete the post if you think it is not relevant.
ps:I just wrote you on telegram

frank333

very important info, @Sib, you also have some scripts for the quectel EM160? I am preparing the rbm11g

frank333

@sindy
I know it's a risk, for rb3011, should I try to update ROS to 48.2?

frank333

@SIB, ok, thanks for the info Sib, do you know if there is a command in ROS to understand or choose the type of connection (example: /system routerboard usb set type=mini-PCIe) , reading on this forum it seems that they managed to use usb3 on mpcie to activate a quectel modem .(last post https://lte...

frank333

Block Diagram not show us for RBM11G info what limitation have a mPCIe slot at this unit. Maybe like USB3.0 or USB2.0 - you have it and can check this !. I not have M11G or M33G and I base at forum answers and documentation. I have only rbm11g not yet have the modem, I was asking if you could under...

frank333

So to get the maximum bandwidth, i have to connect a fast modem like EM160 with a usb3 adapter ?

From the block diagram it seems that an mPCIe port is connected directly to the mediatek SoC.

I have a rbm11g so the maximum bandwidth will always be 480M (usb2) ?

frank333

...
I wanted to know which MT7621 GPIO is controlled when this command is run on RBM11G board.

GPIO9

frank333

of course, you can use a virtualbox, but what I wanted to discuss is essentially this, since by now the linux distributions have already pre-installed I don't understand the distrust of a completely open and parsable script that installs original programs in a sandbox. the problem of wine that 'poll...

frank333

I understand, is like saying but go take up knitting! ,you're a poor incompetent, but I would like to understand what is so scary according to you in running snapcraft that is an application (a sandbox) built by the same developers of ubuntu, which installs wine in a reduced and minimal form, and ru...

frank333

however here https://github.com/panaceya/winbox there is the snap of winbox and I have not seen anything critical in terms of security if you notice something wrong write it in the post, basically download the latest version of winbox from the site mikrotik and makes the connections for snapcraft

frank333

@ rextended
I found a version of winbox compiled for mac, so sources should be available (the developer does not answer me), do you know where to find them?

frank333

but, I have checked for a while with wireshark it seems clean does not connect to strange ip

frank333

waiting for a version of winbox compiled for linux...
works more than well I would say!

frank333

I found a simple and effective way to run Winbox on linux, here are the instructions https://snapcraft.io/winbox I tried it on ubuntu 18.04 LTS and it works great!

frank333

If I disable the mangle rules that redirect to one or the other wan the pings work.

frank333

the configuration modvlan.rsc If I disable WAN1 the ping on 192.168.9.1 works. sniff.png I have RouterOS version v6.46.6 (testing) maybe upgrading to the latest one could solve it, but I've read about problems with 3011 this one below from another computer ping 192.168.9.1 sniff.png tracepath with b...

frank333

sniff.png

from another bridge port

frank333

sniff.png

let's continue another day, I'm not able to start the quick sniffer directly from a computer, and not even with wireshark

frank333

yes,and pings at 8.8.8 also work f@ff:~$ ping 192.168.9.2 PING 192.168.9.2 (192.168.9.2) 56(84) bytes of data. 64 bytes from 192.168.9.2: icmp_seq=1 ttl=64 time=0.217 ms 64 bytes from 192.168.9.2: icmp_seq=2 ttl=64 time=0.199 ms 64 bytes from 192.168.9.2: icmp_seq=3 ttl=64 time=0.168 ms 64 bytes fro...

frank333

sniff.png

frank333

sniff.png

frank333

in the interface list I succeeded ,

interface_list.png

eth10 remains in the bridge

frank333

How does /ip firewall address-list export look like, and what does the sniffing as suggested above show?

I cannot add wan2-100 to the bridge, nor can I add it to the interface list, I can use wireshark on the port for sniffing.

frank333

I've tried changing the mangle as you told me, I can't ping from any pc, either directly to the 3011 or from the netgear.

rule_mangle(1).rsc

frank333

When connecting a computer to a bridge port on the 3011, I cannot ping 192.168.9.1.
Here is the configuration after the changes.

mod_vlan.rsc

I do not understand these settings

bridge.png

interface_list.png

frank333

I tried the script; I had to enter / interface bridge port add bridge = bridge interface = ether10 instead of / interface bridge port enable [find interface = ether10] . From a client connected to the netgear I can't reach the main page of the LTE router (192.168.9.1) and the ping doesn't work, from...

frank333

@anav
Yes, the 2 WANs have fixed IPs
wan1 is 192.168.8.2
wan2 is 192.168.9.2

frank333

@anav
On the 3011 from ports 2--->9 there are connected 2 accesspoints a miniserver for home automation and clients computers. Client computers are connected to the netgear switch on ports 2,3,4.

frank333

@sindy
The purpose of publishing it is to get your feedback on whether I have configured the switch correctly. It was just the configuration of the switch that was not working , I will try again tonight.I am now testing the switch with the image configuration and I can reach vlan10 anyway.

frank333

@anav the vlan10 that you see in my configuration is used to reach the management interface of the two ubiquity access points that I have, and should keep separate data traffic from the management traffic, I do not know if it is set correctly also because from each android wifi client I can reach th...

frank333

vlansetting.png

membership1-100.png

PVID.png

frank333

....
So what have I missed?
....

you're right, I'm the one who got lost :-)

frank333

@sindy
the ip provided by the LTE router to the WAN2 of the 3011 is dynamic and when I connect it to the eth5 of the netgear it will be maintained even when passing as VLAN100 ?

frank333

@anav
here is my configuration

testvlan.txt

@sindy
I wasn't able to do much this morning especially with the vlan on the switch, I'll try again with the directions you wrote above

frank333

I would like the netgear to have 3 ports connected to the 3011 LAN bridge.

frank333

hi sindy, thanks for your reply; the eth10 port is now working as a load balancing wan2, when I go to hook the vlan100 I will have to assign to the vlan created a static ip of the same class that I have now on WAN2? In the netgear switch will the untagged ports be connected to the LAN bridge? Tonigh...

frank333

If you already have the "A07" firmware ...

good to know, I ordered the modem and other parts from your blog links, which is very accurate.

frank333

@uiblogit
so, is it still necessary to update the firmware on the em160 modem and mikrotik to version 7 unstable?

frank333

vlan.png

I have two wans with working PCC load balancing. I wanted to change the configuration so that with only one ethernet cable and a managed swicth I can separately transport both wan2 and use the remaining switch ports as LAN. Can you recommend a guide or some basic information?

frank333

in my opinion an ideal device for LTE should have external cpe have a 4x4 mimo triband antenna no pcb a motherboard M2 to ethernet 10G and accept any linux compatible modem (possibility to upload drivers linux in RoS) be manageable by a downstream router. price around 200€ the possibility of choosi...

frank333

After update LTE Firmware, always show " A newer version of modem firmware available! ". can't understand, why show all time? regarding the warning , it is a bug of RoS 7 . For LHGG LTE6 the CA characteristics of the modem are these https://smartphonecombo.it/?device=R11e-LTE6 or https://...

frank333

sector.png interesting the two sectional antennas (are they pcb? ) what brand are they, are there antennas for the 4 x 4 mimo in one panel? For lte management on LR8 LTE what version do you have of os router and what modem card do you have. I had thought to modify the LHGG LTE6 but it is not mimo4x...

frank333

Hello,
i have a Fibocom L850 LTE module which works fine under linux in mbim mode with a usb3 adapter. When i connect it to my x86 machine with router os v7 beta it is recognised as PPP interface and no LTE interface brings up. What can i do?

the modem is compatible, how did you solve it?

frank333

I am going to build an external router, with RBM11G, a quectel EM160R-GL cat16 modem and 4 Halo coflex3200 antennas. With a similar configuration, I would like to be able to maintain the connection on a nearby local BTS that I can not reach with the router I have now, but that I hook only with the s...

frank333

try to follow this holy man's guidance,
https://jcutrer.com/howto/networking/mi ... over-https

frank333

slimprice,
cloudflare has the fastest dns, then there is google, and all the other .Open dns here at my place is very slow.

frank333

on RB3011 with v 6.47 I can't see the memory and CPU graphs anymore, does anyone know how to solve it?

frank333

yes normis, I wanted to say this that I tried, but in addition to having problems with continuous writing on the nand with v6.47 I still can not enable the verification of certificates in addition to that of cloudflare, also can not yet enter a second doh server that acts as failover.

frank333

In my opinion, doh is the first example of how much mikrotik cares about the safety of its users and other initiatives in this direction are welcome.
The only thing I can reproach are the problems I had using the firmware 6.47 and the lack of possibility to use other dns besides cloudflare.

frank333

slimprize.
that's what I do . in the PEM download section.

Schermata del 2020-06-14 08.31.14.png

frank333

so ?

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53

put in front of all the rules ?
192.168.88.1 is ip of router mikrotik

frank333

Yes, I couldn't find any commands to read the writing counter on the 3011 nand.
I downgraded to 6.46.5 today.
https://download.mikrotik.com/routeros/ ... 6.46.5.npk

frank333

Can someone tell me how to read the scripture counter on the nand of Tik RB3011?
I tried with /system resource print but there is no information.
I need it to see if the 6.47 firmware is frying my nand.

frank333

on linux to control the dns i do this, reboot the connection and control with nmcli device show myinterface | grep IP4

frank333

you have to open a shell with ssh root@ipyourrouter then once you are in the router type /export hide-sensitive and copy the result or save it to file=myfileexport

frank333

I thought the result file was written on mikrotik's hdd, so I moved it to the external MMC. Schermata del 2020-06-10 12.54.41.png The script always populates the mikrotik DNS cache even when the DOH cloudflare fails. For the query response errors I thought about this . Schermata del 2020-06-10 13.00...

frank333

I'm using the script and it works well, I've imported global certificates and tested several DoH servers but you always get an error as a response.
I set the scheduling every minute and had the results written on an external sacrificial MMC card, not to fry the tik flash.

frank333

unless you'd turn the approach upside down and instead of manually configuring remote IPs which require use of the same WAN, you'd manually configure IPs which don't. :shock: I don't understand exactly how you can do it and what you get is very complicated. I enclose here below my final working con...

frank333

sindy, thanks again, everything works properly, practically the traffic is sorted a bit on one gateway a bit on the other keeping the routes for an hour. The only thing I lost with the latest changes are the multiple connections and the sum of the total bandwidth, but I think it's inevitable. I'll b...

Search found 348 matches