Community discussions

Search found 5744 matches

by mrz
Thu Feb 21, 2019 10:27 am
Forum: Forwarding Protocols
Topic: Random OSPF State Down
Replies: 8
Views: 257

Re: Random OSPF State Down

Most likely cause is BFD, it may report link downs on CCR router even if link is ok. I would suggest no to use BFD on CCRs.
by mrz
Wed Feb 20, 2019 4:13 pm
Forum: Forwarding Protocols
Topic: OSPF Redistribute Problem
Replies: 8
Views: 324

Re: OSPF Redistribute Problem

What is the config on R1?
by mrz
Wed Feb 20, 2019 12:35 pm
Forum: Forwarding Protocols
Topic: Mikrotik L2TPV3
Replies: 8
Views: 2127

Re: Mikrotik L2TPV3

As far as I can tell there are no plans to implement L2TPv3 in near future.
by mrz
Wed Feb 20, 2019 11:56 am
Forum: Forwarding Protocols
Topic: OSPF Redistribute Problem
Replies: 8
Views: 324

Re: OSPF Redistribute Problem

What is considered by "full routing table"? If you are talking about inter/intra area routes learned from other OSPF neighbors then those will always be installed in routing table for all routers in the same area.
by mrz
Wed Feb 20, 2019 11:51 am
Forum: Forwarding Protocols
Topic: Random OSPF State Down
Replies: 8
Views: 257

Re: Random OSPF State Down

What kind of router is this? CCR?
by mrz
Wed Feb 20, 2019 10:14 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: Please enhance netwatch to be effective in WAN environments
Replies: 1
Views: 84

Re: Feature Request: Please enhance netwatch to be effective in WAN environments

Write a script using ping tool and you will get all your requested features.
by mrz
Tue Feb 19, 2019 4:51 pm
Forum: Beginner Basics
Topic: Does EOIP need both ends to be visible [SOLVED]
Replies: 1
Views: 71

Re: Does EOIP need both ends to be visible [SOLVED]

No, both ends need visible public IP or if there is a nat then NAT forwarding.
But, if you encapsulate EoIP in Ipsec then it is possible.
by mrz
Tue Feb 19, 2019 1:19 pm
Forum: Forwarding Protocols
Topic: How to make use of /32 ips?
Replies: 5
Views: 193

Re: How to make use of /32 ips?

I would still suggest to change from interface to IP address. Even if it works at the moment, it may cause problems in the future. Interface gateway on broadcast network can trigger unexpected behavior.
by mrz
Tue Feb 19, 2019 12:15 pm
Forum: Forwarding Protocols
Topic: How to make use of /32 ips?
Replies: 5
Views: 193

Re: How to make use of /32 ips?

gateway=SRV01 is not a valid configuration on broadcast network.
by mrz
Tue Feb 19, 2019 10:17 am
Forum: Scripting
Topic: Global variable dissapears?
Replies: 5
Views: 186

Re: Global variable dissapears?

It is already mentioned in the scripting manual:

"dont-require-permissions: Bypass permissions check when script is being executed, useful when scripts are being executed from services that have limited permissions, such as Netwatch"
by mrz
Mon Feb 18, 2019 1:09 pm
Forum: General
Topic: IPSEC IKEv2 eap?
Replies: 1
Views: 102

Re: IPSEC IKEv2 eap?

You need RADIUS server that supports EAP, in ipsec peer set auth-method=eap-radius. RouterOS itself cannot do EAP authentication at the moment.
by mrz
Mon Feb 18, 2019 1:06 pm
Forum: General
Topic: More detaled ipsec wiki
Replies: 3
Views: 334

Re: More detaled ipsec wiki

When you specify local and remote certificates in ipsec configuration, it means that server will very client and client will verify if server certificate is valid, which is more secure than what you want when only client is verifying server certificate. If you really wan this, then configuration exa...
by mrz
Mon Feb 18, 2019 11:04 am
Forum: Beginner Basics
Topic: Mikrotik и Kerio, IPsec connection
Replies: 2
Views: 123

Re: Mikrotik и Kerio, IPsec connection

If it is site to site, then make sure that traffic is not NATed or fasttracked, see documentation for more info:

https://wiki.mikrotik.com/wiki/Manual:I ... ack_Bypass
by mrz
Mon Feb 18, 2019 11:01 am
Forum: General
Topic: don't have ping but see the IP on scan?
Replies: 4
Views: 172

Re: don't have ping but see the IP on scan?

It is possible that ICMP protocol is blocked, in that case ping will not work.
by mrz
Mon Feb 18, 2019 9:42 am
Forum: Scripting
Topic: Global variable dissapears?
Replies: 5
Views: 186

Re: Global variable dissapears?

DHCP, ppp, netwatch etc, do not have enough permissions to get access to global variables. If you want to full permisions, ten create a script with option do-not-require-permissions and execute the script on dhcp event.
by mrz
Thu Feb 14, 2019 12:19 pm
Forum: General
Topic: IPSec rekey interval? [SOLVED]
Replies: 4
Views: 273

Re: IPSec rekey interval? [SOLVED]

lifetime in ipsec proposal
by mrz
Wed Feb 13, 2019 3:19 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1030
Views: 172855

Re: Feature requests

PPP profile already has on-up on-down events.
by mrz
Wed Feb 13, 2019 9:50 am
Forum: General
Topic: More detaled ipsec wiki
Replies: 3
Views: 334

Re: More detaled ipsec wiki

There is already example how to use RSA and also how to generate certificates: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication Everything else is not RouterOS specific and there are a lot of resources around the internet about RSA keys certificat...
by mrz
Thu Feb 07, 2019 11:47 am
Forum: RouterOS v6 RC and v7 BETA
Topic: IPv6 iBGP routes showing Unreachable | OS 6.39rc68 (testing)
Replies: 3
Views: 167

Re: IPv6 iBGP routes showing Unreachable | OS 6.39rc68 (testing)

Currently it is not possible to resolve recursively to link local gateways.
by mrz
Tue Feb 05, 2019 4:02 pm
Forum: General
Topic: High CPU plus Latency plus Packet Drops when bonding with balance-rr
Replies: 11
Views: 837

Re: High CPU plus Latency plus Packet Drops when bonding with balance-rr

Regarding problem with xor, contact support with attached supout files from both switches.
by mrz
Tue Feb 05, 2019 2:59 pm
Forum: General
Topic: High CPU plus Latency plus Packet Drops when bonding with balance-rr
Replies: 11
Views: 837

Re: High CPU plus Latency plus Packet Drops when bonding with balance-rr

Only 802.3ad and balance-xor modes are switch chip accelerated. When you select balance-rr you are hitting CPU performance limit.
And 802.3ad is not balancing between multiple links, because most likely you have only one stream running.
by mrz
Mon Feb 04, 2019 10:04 am
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 26050

Re: v6.43.8 [stable] is released!

abrandecky please generate and send supout file to support.
by mrz
Fri Feb 01, 2019 10:03 am
Forum: Forwarding Protocols
Topic: Multihoming and connection tracking
Replies: 5
Views: 364

Re: Multihoming and connection tracking

It is recommended not to use any connection tracking related feature. Also avoid setting complicated firewall for forwarded traffic.
by mrz
Thu Jan 31, 2019 3:01 pm
Forum: Forwarding Protocols
Topic: BGP tuning
Replies: 3
Views: 236

Re: BGP tuning

Adjust local-pref or weight with routing filters.
by mrz
Tue Jan 29, 2019 3:43 pm
Forum: RouterOS v7
Topic: Issue Faced in BGP-VPNv4
Replies: 4
Views: 316

Re: Issue Faced in BGP-VPNv4

One packet before should be update message with attribute flag error. Notification message just informs remote peer that malformed packet was received and connection will be closed.
by mrz
Wed Jan 23, 2019 10:54 am
Forum: Forwarding Protocols
Topic: VPN - MTU - Change MSS - Wiki
Replies: 2
Views: 287

Re: VPN - MTU - Change MSS - Wiki

!!! MTU is not the same as MSS !!!

If max possible MTU is 1450 then MSS is less than that, see illustration below

Image
by mrz
Tue Jan 22, 2019 5:25 pm
Forum: General
Topic: 6.43.8 vulnerability or hack?
Replies: 31
Views: 1664

Re: 6.43.8 vulnerability or hack?

Currently there is no new known winbox port vulnerabilities. If you are sure that after first hack you reinstalled the route rand changed login credentials, then contact support. There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed. mrz, a...
by mrz
Tue Jan 22, 2019 5:05 pm
Forum: Scripting
Topic: Request: fetch support for custom http header fields
Replies: 9
Views: 1332

Re: Request: fetch support for custom http header fields

Already possible

/tool fetch http-header-field=
by mrz
Tue Jan 22, 2019 4:03 pm
Forum: General
Topic: 6.43.8 vulnerability or hack?
Replies: 31
Views: 1664

Re: 6.43.8 vulnerability or hack?

Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the router rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.
by mrz
Tue Jan 22, 2019 9:37 am
Forum: Forwarding Protocols
Topic: Filtering oddities
Replies: 1
Views: 124

Re: Filtering oddities

porotocol="" means no protocol, there are no routes without protocol so obviously rule will not match anything. If you want to unset protocol parameter then use command 'unset'
by mrz
Wed Jan 09, 2019 6:31 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 6539

Re: v6.42.11 [long-term] is released!

superchannel is not removed.Country selection is to comply with regulations.
If you want to break the law select superchannel, no country and keep using your link as before.
by mrz
Wed Jan 09, 2019 10:37 am
Forum: Scripting
Topic: auto upgrade -> set channel doesn't work anymore
Replies: 2
Views: 140

Re: auto upgrade -> set channel doesn't work anymore

Channel names have changed to "long-term", "stable", "testing"
by mrz
Tue Jan 08, 2019 3:42 pm
Forum: RouterOS v7
Topic: Issue Faced in BGP-VPNv4
Replies: 4
Views: 316

Re: Issue Faced in BGP-VPNv4

RouterOS closes connection whenever it receives malformed update. There are two possibilities, either remote peer sent actually malformed packet or packet contained attributes that RouterOS do not understand and think that they are malformed. I would suggest to run packet sniffer to catch which pack...
by mrz
Tue Jan 08, 2019 10:01 am
Forum: Forwarding Protocols
Topic: BGP Over GRE-- HOLD Timer Expired Subcode Zero
Replies: 8
Views: 322

Re: BGP Over GRE-- HOLD Timer Expired Subcode Zero

That is incomplete information. 1. On router A you have loopback for tunnel peering, on router B you don't 2. You have only 4 routes in routing table? what about BGP installed routes? As asked before provide IP addresses used for tunnel peering for both routers. And post the output of commands: /ip ...
by mrz
Mon Jan 07, 2019 4:37 pm
Forum: Forwarding Protocols
Topic: BGP Over GRE-- HOLD Timer Expired Subcode Zero
Replies: 8
Views: 322

Re: BGP Over GRE-- HOLD Timer Expired Subcode Zero

Show routing table output of both routers when BGP is established and specify what is the address tunnel is connected to.
by mrz
Mon Jan 07, 2019 1:55 pm
Forum: General
Topic: IPv6 Link-Local Addresses
Replies: 6
Views: 433

Re: IPv6 Link-Local Addresses

I would suggest not to remove link local addresses but block access in firewall.
by mrz
Mon Jan 07, 2019 11:33 am
Forum: Forwarding Protocols
Topic: BGP ignores local pref
Replies: 4
Views: 378

Re: BGP ignores local pref

Does both VPNv4 routes have unique RD? As far as I have seen it is happening when there is misconfiguration with route distinguishers.
by mrz
Fri Jan 04, 2019 5:27 pm
Forum: Forwarding Protocols
Topic: BGP Over GRE-- HOLD Timer Expired Subcode Zero
Replies: 8
Views: 322

Re: BGP Over GRE-- HOLD Timer Expired Subcode Zero

Look at routing table after BGP is established. Most likely because of how networks are advertised you are trying to reroute already encapsulated packets inside tunnel interface. Which obviously is not going to work.
by mrz
Thu Jan 03, 2019 2:34 pm
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 26050

Re: v6.43.8 [stable] is released!

remove [find name="A"]

but I would suggest to use proper method and unset variables
:set A

If you have any further questions post in correct section, this is not v6.43.8 related.
by mrz
Thu Jan 03, 2019 1:37 pm
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 26050

Re: v6.43.8 [stable] is released!

There will always be delays before items appear in the table. Slower CPU greater delay.
by mrz
Thu Jan 03, 2019 11:55 am
Forum: Scripting
Topic: unknown parameter API Error
Replies: 1
Views: 143

Re: unknown parameter API Error

use correct parameter names, there is no "name" for this command, but "user"
by mrz
Thu Dec 27, 2018 11:01 am
Forum: Forwarding Protocols
Topic: BGP over link-local IPv6 remote peer gets no prefixes
Replies: 4
Views: 333

Re: BGP over link-local IPv6 remote peer gets no prefixes

I assume it is eBGP peer, try to enable BGP debug logs, then you will see the reason why updates are ignored, most likely because advertised nexthop is not on the shared network.
by mrz
Fri Dec 21, 2018 2:12 pm
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 26050

Re: v6.43.8 [stable] is released!

In wireless interface settings obviously.
by mrz
Fri Dec 21, 2018 1:29 pm
Forum: Beginner Basics
Topic: IPv6 subneting
Replies: 2
Views: 242

Re: IPv6 subneting

We cannot repeat the problem, please enable dhcp debug logs, enable dhcp client, make a supout file and send to support.
by mrz
Tue Dec 18, 2018 2:01 pm
Forum: Scripting
Topic: Script to disable BGP when OSPF neighbor down - No such item
Replies: 5
Views: 285

Re: Script to disable BGP when OSPF neighbor down - No such item

if ([/routing ospf neighbor find where address=\"192.168.37.1\"] != "") do={
#get state
{
by mrz
Tue Dec 18, 2018 1:44 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 65587

Re: v6.44beta [testing] is released!

set frequency-mode to regulatory-domain
by mrz
Tue Dec 18, 2018 1:37 pm
Forum: Scripting
Topic: Script to disable BGP when OSPF neighbor down - No such item
Replies: 5
Views: 285

Re: Script to disable BGP when OSPF neighbor down - No such item

Of course you will get no such item, because you are trying to get "state" parameter for non-existent item.

First check if ospf neighbor exist and only then try to get any params.
by mrz
Thu Dec 13, 2018 6:58 pm
Forum: General
Topic: HEX S and hardware IPSEC
Replies: 5
Views: 317

Re: HEX S and hardware IPSEC

Yes double encrypted. And you can play with change-mss rules in mangle to reduce TCP packet size to get better performance.
by mrz
Thu Dec 13, 2018 3:13 pm
Forum: General
Topic: HEX S and hardware IPSEC
Replies: 5
Views: 317

Re: HEX S and hardware IPSEC

There is no marketing trick. Test results are provided for pure ipsec tunnel with UDP traffic. In your case you are having additional load and overhead by using L2TP + l2tp encryption which is completely useless if you are using ipsec. Another thing is since you did not mention what protocol and pac...
by mrz
Thu Dec 13, 2018 2:06 pm
Forum: Forwarding Protocols
Topic: Top Level Router on Ospf Domain not able to get redistributed routes from NSSA Area [SOLVED]
Replies: 4
Views: 390

Re: Top Level Router on Ospf Domain not able to get redistributed routes from NSSA Area [SOLVED]

what "translator-role" did you set? If it is set to "never" then no routes will be translated.