Community discussions

Search found 5659 matches

by mrz
Tue Sep 25, 2018 11:35 am
Forum: Scripting
Topic: "No such item (4)" while counting connections
Replies: 10
Views: 248

Re: "No such item (4)" while counting connections

Connection tracking is large periodically changing table. While processing entries that entry could already be removed, so you will get no such item.
by mrz
Tue Sep 25, 2018 11:30 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 879
Views: 149332

Re: Feature requests

I join the request, i need secure way to use NordVPN. I'd like to ask to complete IPSEC/IKEv2 implementation. Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing. Such request is pretty useless. Defince what you consider "complete"? Which...
by mrz
Fri Sep 21, 2018 5:39 pm
Forum: Forwarding Protocols
Topic: OSPF: wrong lsa type
Replies: 14
Views: 360

Re: OSPF: wrong lsa type

Show OSPF config from 10.10.203.1 router
by mrz
Fri Sep 21, 2018 3:50 pm
Forum: Scripting
Topic: $ Sign Not Accepting from New Terminal
Replies: 5
Views: 150

Re: $ Sign Not Accepting from New Terminal

It is not recommended to use special characters used by console in anywhere else (including password). But if you really want to use it, then character need to be escaped \$
by mrz
Fri Sep 21, 2018 3:04 pm
Forum: Forwarding Protocols
Topic: OSPF: wrong lsa type
Replies: 14
Views: 360

Re: OSPF: wrong lsa type

No Type 5 LSA is only if you are redistributing routes via (redistribute-connecte, static, other ospf etc.) as it was mentioned previously
Or when ABR is changing from LSA type 7 to 5 (in case of NSSA)
by mrz
Fri Sep 21, 2018 12:43 pm
Forum: Forwarding Protocols
Topic: OSPF: wrong lsa type
Replies: 14
Views: 360

Re: OSPF: wrong lsa type

.. работает только при включении redistribute-other-ospf It most likely means that kh router uses different OSPF instance than other routers, and those routes from redistribute-other-ospf will be type 5 (external routes). OSPF creates a type 5 LSA for a subnet that is injected into OSPF from an ext...
by mrz
Thu Sep 20, 2018 4:28 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: IPv6 Firewall - Router Header
Replies: 4
Views: 194

Re: IPv6 Firewall - Router Header

As far as I know it is dropped by linux kernel, you do not need to add specific firewall rules for that. Correct me if I am wrong.
by mrz
Thu Sep 20, 2018 3:42 pm
Forum: Wireless Networking
Topic: Add mac address using milkrotik api call php
Replies: 3
Views: 120

Re: Add mac address using milkrotik api call php

Open terminal and type in /interface wireless registration-table add
What will you get?
by mrz
Thu Sep 20, 2018 1:40 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
by mrz
Thu Sep 20, 2018 11:18 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

No it does not, unless you scheduled automatic restarts.
by mrz
Thu Sep 20, 2018 11:15 am
Forum: General
Topic: Difficulty to use Mikrotik as OpenVPN client (TCP without compresion)
Replies: 2
Views: 115

Re: Difficulty to use Mikrotik as OpenVPN client (TCP without compresion)

Compression in PPP profile has nothing to do with LZO.
LZO is not supported, see the manual on which features are supported and which not:
https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
by mrz
Thu Sep 20, 2018 11:13 am
Forum: General
Topic: restore back to identical devices never works :(
Replies: 28
Views: 815

Re: restore back to identical devices never works :(

Like I said, did anyone reported these problems to support? Only now, with this thread to you. Hopefully you can put it on the agenda 😊 Write to support, specify what configuration you had on the router when you created backup (preferably generate supout file) then restore backup and generate anoth...
by mrz
Thu Sep 20, 2018 11:07 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

Even your "beloved" Microsoft does not force reboots. You choose when to reboot the PC.
by mrz
Wed Sep 19, 2018 2:57 pm
Forum: General
Topic: Cannot establish IPsec point to point VPN between Cisco RV180 and Mikrotik HAP ac2
Replies: 2
Views: 105

Re: Cannot establish IPsec point to point VPN between Cisco RV180 and Mikrotik HAP ac2

It means that phase1 fails because routers cannot communicate with each other. I would suggest to recheck firewall if UDP/500 is allowed.
by mrz
Wed Sep 19, 2018 1:28 pm
Forum: General
Topic: restore back to identical devices never works :(
Replies: 28
Views: 815

Re: restore back to identical devices never works :(

Like I said, did anyone reported these problems to support?
by mrz
Wed Sep 19, 2018 12:49 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: ip cloud without default route
Replies: 4
Views: 194

Re: ip cloud without default route

It is not possible, please read some basic info how routing works.
If you do not need default route then add static route to cloud servers address manually.
by mrz
Tue Sep 18, 2018 5:19 pm
Forum: General
Topic: L2TP & Unsafe Config
Replies: 2
Views: 206

Re: L2TP & Unsafe Config

This is informative message so that you know potential risk of using PSK.
by mrz
Tue Sep 18, 2018 5:17 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: ip cloud without default route
Replies: 4
Views: 194

Re: ip cloud without default route

How do you expect router will reach cloud server without routes?
by mrz
Tue Sep 18, 2018 3:12 pm
Forum: General
Topic: restore back to identical devices never works :(
Replies: 28
Views: 815

Re: restore back to identical devices never works :(

Did you report any of these problems to support?
by mrz
Tue Sep 18, 2018 2:32 pm
Forum: General
Topic: Best software to monitor bgp peers?
Replies: 2
Views: 89

Re: Best software to monitor bgp peers?

Zabbix can monitor ROS BGP peers
by mrz
Tue Sep 18, 2018 1:28 pm
Forum: General
Topic: restore back to identical devices never works :(
Replies: 28
Views: 815

Re: restore back to identical devices never works :(

Define "same type of device"? Backup was never intended to work between different HW models.
You can restore backup reliably only on exactly the same HW model.
by mrz
Tue Sep 18, 2018 12:25 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 72
Views: 8836

Re: v6.44beta [testing] is released!

Because it is whole system backup.
by mrz
Mon Sep 17, 2018 4:55 pm
Forum: General
Topic: IPsec IKE2 can find valid sertificate [SOLVED]
Replies: 5
Views: 182

Re: IPsec IKE2 can find valid sertificate [SOLVED]

You need to import also CA, not just client cert.
by mrz
Mon Sep 17, 2018 4:31 pm
Forum: Scripting
Topic: port tracking in php PEAR2 Api
Replies: 2
Views: 91

Re: port tracking in php PEAR2 Api

API cannot do this, such selection must be done on your APP side.
by mrz
Mon Sep 17, 2018 4:28 pm
Forum: General
Topic: Bug: No such item(4) or object doesn't exist (4)
Replies: 5
Views: 262

Re: Bug: No such item(4) or object doesn't exist (4)

Those are dynamic interfaces, IDs will change on reconnect, if your script tries to edit interface that is at the same time reconnected you will get an error that item does not exist.
by mrz
Mon Sep 17, 2018 1:16 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns? Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime. That is ...
by mrz
Mon Sep 17, 2018 11:17 am
Forum: Forwarding Protocols
Topic: OSPF: Filter routes using firewall
Replies: 4
Views: 164

Re: OSPF: Filter routes using firewall

It could be possible with L7 filters, but running such filters will consume a lot of CPU resources and another problem is that OSPF does not send one LSA per packet, so even if you get packet to match you will be dropping all LSAs in that packet. Not to mention that this whole filtering thing will g...
by mrz
Mon Sep 17, 2018 11:14 am
Forum: Forwarding Protocols
Topic: OSPF: Route not being filtered [SOLVED]
Replies: 12
Views: 361

Re: OSPF: Route not being filtered [SOLVED]

Onlu "external" routes can be filtered. Based on your configuration 192.168.126.216/29 is not advertised as "external".
by mrz
Mon Sep 17, 2018 11:07 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

by mrz
Mon Sep 17, 2018 10:44 am
Forum: General
Topic: Ikev2 + Eap Radius + Windows 10 Not Working - But Working On Apple Devices
Replies: 18
Views: 902

Re: Ikev2 + Eap Radius + Windows 10 Not Working - But Working On Apple Devices

Yes, you got it right, initially it is CLI only but will be added to Winbox too.
by mrz
Tue Sep 11, 2018 5:16 pm
Forum: General
Topic: IPsec, mode config and xauth users
Replies: 5
Views: 181

Re: IPsec, mode config and xauth users

Not possible directly. Solution is to use remote syslog server or by scripts on the router, filter needed log entries and then email.
by mrz
Tue Sep 11, 2018 2:05 pm
Forum: General
Topic: IPsec, mode config and xauth users
Replies: 5
Views: 181

Re: IPsec, mode config and xauth users

Yes you can assign static IP address by modeconf and use firewall to limit/route traffic for specific IP.
by mrz
Tue Sep 11, 2018 12:21 pm
Forum: General
Topic: Ikev2 + Eap Radius + Windows 10 Not Working - But Working On Apple Devices
Replies: 18
Views: 902

Re: Ikev2 + Eap Radius + Windows 10 Not Working - But Working On Apple Devices

v6.44beta version will have new feature:
ike2- option to specify certificate chain
by mrz
Tue Sep 11, 2018 12:05 pm
Forum: Scripting
Topic: Crazy bug mess in routerOS wireless scripting
Replies: 5
Views: 183

Re: Crazy bug mess in routerOS wireless scripting

Upgrade RouterOS, I cannot repeat any of your mentioned problems with latest ROS.
by mrz
Mon Sep 10, 2018 6:25 pm
Forum: Scripting
Topic: Mikrotik logic bug
Replies: 3
Views: 170

Re: Mikrotik logic bug

Works for me. [admin@MikroTik] > :do { /interface wireless set wlan1 band=5ghz-a; :put "no error"} on-error={ :put "error"} error What you are telling is not how it should work, there will never be two log entries. If there is an error, then script inside do () immediately stops and on-error is exec...
by mrz
Mon Sep 10, 2018 12:29 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 149
Views: 15800

Re: v6.43 [current] is released!

Of course it will show "file downloaded", because to output something you need to download it first.
by mrz
Thu Sep 06, 2018 4:50 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.
by mrz
Thu Sep 06, 2018 3:18 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

unless they have a time machine (and you guys don't, right?).
We are working on it.
by mrz
Thu Sep 06, 2018 10:51 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 224
Views: 24961

Re: Winbox vulnerability: please upgrade

I still believe Mikrotik's default configuration is too weak for the majority of their lazy/inexperienced customers, therefore I'd suggest to ship future ROS releases in Fortknox-mode by default. Be more specific what exactly is not secure? Default firewall is as secure as it can be, only ICMP is a...
by mrz
Tue Sep 04, 2018 5:23 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 23
Views: 2264

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

You don't there is no need for L2TP when ike2 is used.
by mrz
Tue Sep 04, 2018 4:11 pm
Forum: Scripting
Topic: Remove BGP network by comment via PHP API
Replies: 22
Views: 459

Re: Remove BGP network by comment via PHP API

It should be done automatically by your app. That is how API works and how it should be used.
by mrz
Tue Sep 04, 2018 4:00 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 23
Views: 2264

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Not really, can be done with EAP authentication.
And if clients are only ROS devices or IOS you can use PSK as well.
by mrz
Tue Sep 04, 2018 3:58 pm
Forum: Scripting
Topic: Remove BGP network by comment via PHP API
Replies: 22
Views: 459

Re: Remove BGP network by comment via PHP API

Because you didn't specify ID to remove.

1) run print
2) get ID
3) use ID to remove network
by mrz
Tue Sep 04, 2018 3:33 pm
Forum: Scripting
Topic: Remove BGP network by comment via PHP API
Replies: 22
Views: 459

Re: Remove BGP network by comment via PHP API

It does not change in milliseconds (time between two commands) Works as expected: /routing/bgp/network/print ?comment=test =.proplist=.id <<< /routing/bgp/network/print <<< ?comment=test <<< =.proplist=.id <<< >>> !re >>> =.id=*0 >>> >>> !done >>> /routing/bgp/network/remove =.id=*0 <<< /routing/bgp...
by mrz
Tue Sep 04, 2018 3:14 pm
Forum: Scripting
Topic: Remove BGP network by comment via PHP API
Replies: 22
Views: 459

Re: Remove BGP network by comment via PHP API

You haven't specified any ID to remove.
by mrz
Tue Sep 04, 2018 3:04 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 23
Views: 2264

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Does this overcomplicated thing really necessary, where you can switch to ike2 and forget about NAT problems?
by mrz
Tue Sep 04, 2018 3:02 pm
Forum: Scripting
Topic: Remove BGP network by comment via PHP API
Replies: 22
Views: 459

Re: Remove BGP network by comment via PHP API

API and terminal is not the same thing There is no such thing as '[find comment=tes"]' or regexp matching in API. Read link provided earlier about API queries. First method does not work, because you do not have bgp network with comment 'test', you have comment that contains test Read possible solut...
by mrz
Tue Sep 04, 2018 11:28 am
Forum: Scripting
Topic: Remove BGP network by comment via PHP API
Replies: 22
Views: 459

Re: Remove BGP network by comment via PHP API

Key words (contain word "test" ). Queries in API do not have regexp matching, so you have two options either match exact comment string or get all networks and do comment filtering on client side app.