Community discussions

Search found 159 matches

by nostromog
Thu Oct 03, 2019 7:33 pm
Forum: RouterBOARD hardware
Topic: LtAP Mini LTE Kit is awful when network signal is unstable
Replies: 6
Views: 782

Re: LtAP Mini LTE Kit is awful when network signal is unstable

When I'm in city with strong 3/4G coverage, everything works as it supposed to. But when I leave big city Internet connection becames awful and nearly unusable (though usual phone with same ISP shows 3-4 sticks of 3G/H+ and above-mentioned Huawei 4G router also changes bands and base stations seaml...
by nostromog
Mon Sep 30, 2019 9:00 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 102
Views: 36470

Re: v6.46beta [testing] is released!

To be precise, what I observe is a never ending sequence of 19:15:39 ipsec,info initiate new phase 1 (Identity Protection): 2001:470:NNNN:NNNN::1[500]<=>2001:470:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN[500] 19:16:39 ipsec,error phase1 negotiation failed due to time up 2001:470:NNNN:NNNN::1[500]<=>2001:470:NNN...
by nostromog
Mon Sep 30, 2019 12:59 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 102
Views: 36470

Re: v6.46beta [testing] is released!

Well, then fix the IPv6 address. It will not try a different address until the previous one times out (after DNS TTL). It has always been like this, however we have fixed IPv6 address resolving in the beta. I wonder what do you call "times out (after DNS TTL)". Do you mean the use of DNS names is n...
by nostromog
Fri Sep 27, 2019 10:18 pm
Forum: General
Topic: CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid
Replies: 3
Views: 468

Re: CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid

I experienced the same bug, reset configuration and re importing it was the only solution to fix it.

Sent from my Redmi Note 5 using Tapatalk

by nostromog
Fri Sep 27, 2019 10:17 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 102
Views: 36470

Re: v6.46beta [testing] is released!

I'm seeing a problem with DNS resolution of ipsec peer in this beta: I have an ipsec peer that happens to have a correct ipv4 address, but an ipv6 address that does not work. On boot, the ipv6 address is picked up, but the ipsec remains in message-1-sent state forever. I need to do /ip ipsec peer di...
by nostromog
Tue Sep 24, 2019 11:04 am
Forum: RouterBOARD hardware
Topic: Recover from "No Default Configuration" System Reset
Replies: 17
Views: 975

Re: Recover from "No Default Configuration" System Reset

One technique I have used, as a linux user, to check if the router is alive when I lost configuration and the machines have ipv6 package active, is to plug an ethernet cable from my laptop to the router, ensure that the link is up on the linux side and # use your eth interface name instead of eth1 $...
by nostromog
Mon Sep 23, 2019 11:13 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 534

Re: "pure" ipsec, how to deal with MTU?

Can't it be your srcnat rules touching something they should not? Because unless I'm lost in what's connected where, if the icmp response should go to 192.168.21.251, then 192.168.90.253 as source doesn't look right. Well, I don't choose the source of an ICMP error packet generated by the kernel/ne...
by nostromog
Mon Sep 23, 2019 9:59 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 534

Re: "pure" ipsec, how to deal with MTU?

Check what the router really sends or not directly on router, add logging rule in output for icmp and destination address of client, and you'll see. This is what I did, using /tool sniffer and some logging, and I have seen. I'd expect the opposite for split-include configs, i.e. that 0.0.0.0/0 woul...
by nostromog
Mon Sep 23, 2019 8:21 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 534

Re: "pure" ipsec, how to deal with MTU?

You don't need to do anything about it. Just make sure you do not blindly block the ICMP traffic so PMTUD over your tunnels works. It is not working. It is working locally, i.e. the router at the "client" side of the ipsec tunnel will give the error I posted, but it is not working for clients of th...
by nostromog
Sat Sep 21, 2019 10:35 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 534

"pure" ipsec, how to deal with MTU?

Hi, I set up in my home router a "pure" ipsec VPN, experimentally before I set it up in my company. It is currently ikev1 with xauth, something like /ip address add address=192.168.90.1/24 interface=bridge network=192.168.90.0 /ip ipsec mode-config add address-pool=vpn2 name=RW-cfg split-include=0.0...
by nostromog
Sat Sep 14, 2019 5:18 pm
Forum: General
Topic: Access to MikroTik LtAP console via LTE
Replies: 3
Views: 577

Re: Access to MikroTik LtAP console via LTE

The typical solution to this problem is that you have a VPN server and each router connects to it automatically once it gets signal. So from the server you can reach any of the devices. It will cause idle traffic, though, as keeping alive the connection is the only way to have it available when it i...
by nostromog
Fri Sep 13, 2019 10:11 pm
Forum: General
Topic: L2TP/IPSec VLAN no HTTP (port 80) [SOLVED]
Replies: 2
Views: 433

Re: L2TP/IPSec VLAN no HTTP (port 80) [SOLVED]

Looks like a MTU issue. You can measure the mtu using ping ... size=<n> do-not-fragment , changing n until you doing the maximum that answers, and adjust the MTU of the interface, etc


Sent from my Redmi Note 5 using Tapatalk

by nostromog
Wed Sep 11, 2019 9:13 am
Forum: Wireless Networking
Topic: Bit confused by the existence of the hAP AC Lite?
Replies: 15
Views: 1355

Re: Bit confused by the existence of the hAP AC Lite?

The maximum one tends to get with Wi-Fi 4 (802.11n) with two chains (e..g many laptops) is ~70Mbps so it's a reasonable match for VDSL2 here in the UK where the internet link isn't much higher than that is many cases, often less. So having 100Mbps port for the internet connection is fine. One tends...
by nostromog
Tue Sep 10, 2019 10:09 pm
Forum: General
Topic: Feature Request: Add LTE to WAN Interface List by default
Replies: 4
Views: 520

Re: Feature Request: Add LTE to WAN Interface List by default

In IPsec a add-to-list option is hurting added, this would be similar, I guess

Sent from my Redmi Note 5 using Tapatalk

by nostromog
Tue Aug 27, 2019 3:15 pm
Forum: Beginner Basics
Topic: Unable to return to default configuration
Replies: 1
Views: 297

Re: Unable to return to default configuration

It might be that the script that restores the configuration has a bug, or the firmware it not initializing properly. For instance, the script posted below tries 40 times to find the wireless interfaces, and they might take more time to initialize than this... You can try to understand what is going ...
by nostromog
Sat Aug 24, 2019 7:49 pm
Forum: Beginner Basics
Topic: How to dumb bridge (?) using hAP ac lite
Replies: 11
Views: 1022

Re: How to dumb bridge (?) using hAP ac lite

... create a bridge add all ether interfaces to that bridge As soon as I change the interface I'm using (eth2 in this case) from the old bridge to the new one, I lose contact with the router, and can't get there from here. I am running winbox on wine on debian. When I have been cut access from the ...
by nostromog
Tue Aug 20, 2019 8:18 pm
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 1683

Re: MAP2n as Travel Router Configuration Assistance

So played w/ this some and realized w/ the Lost_Duckling mode making it a AP instead of a bridge I can then connect to my normal wlan and get into the web-config. I should then be able to setup the hotel wireless as a new profile and change wlan1 back to a station save and try to connect correct? M...
by nostromog
Thu Aug 15, 2019 10:12 pm
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 1683

Re: MAP2n as Travel Router Configuration Assistance

So I added the following code: /interface wireless security-profiles add authentication-types=wpa2-psk management-protection=allowed mode=\ dynamic-keys name=lost_duckling supplicant-identity=MikroTik \ wpa2-pre-shared-key=MyTempPSK :log info "script: Going into Lost Duckling mode" /interface wirel...
by nostromog
Wed Aug 14, 2019 7:11 pm
Forum: General
Topic: How to remove wrong dynamic-servers from /ip dns?
Replies: 4
Views: 737

Re: How to remove wrong dynamic-servers from /ip dns?

Dynamic DNS servers are added by DHCP/PPPoE/... and they don't stick. Stop the client or uncheck the option to add them, and they go away. If not, it would be bug. It is a bug, then, as they have been around for months, after reboots and whatnot. My guess is that if one disables the dhcp-client / p...
by nostromog
Wed Aug 14, 2019 5:20 pm
Forum: General
Topic: How to remove wrong dynamic-servers from /ip dns?
Replies: 4
Views: 737

How to remove wrong dynamic-servers from /ip dns?

Hi, I have the same problem in several routers: I have a router in London where I used for a short time my cellular phone via USB cable, and via dhcp-client the DNS addresses of my provider went into /ip dns dynamic-servers... Several months and reboots from then they are still there, in spite of th...
by nostromog
Wed Aug 14, 2019 5:12 pm
Forum: Scripting
Topic: mAP lite as travel router [SOLVED]
Replies: 5
Views: 904

Re: mAP lite as travel router [SOLVED]

(...) To run AP & Client simultaneously, you can run AP as master and station as virtual interface (use wlan2 in connect-list entries). /interface wireless set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=AP1 add default-authentication=no disabled=no master-interface=wlan1 mode=stati...
by nostromog
Tue Aug 13, 2019 2:06 pm
Forum: RouterBOARD hardware
Topic: New Router
Replies: 2
Views: 806

Re: New Router

My old router died thue to a heat stroke so I need to buy a new router. I had a RB750G and my network Connection is 500/500 but I'm going to upgrade to 1000/1000. I have 3x high speeds computers thats need a switch chip or fast cpu to bridge the traffic. 1x ip-telephone 1x laptop (some times on Cab...
by nostromog
Sun Aug 11, 2019 3:35 pm
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 964

Re: WOL not working after upgrade

Interface is Bridge1 for all innside mac on hEX
/ip arp print
 0 DC 10.10.10.41     00:1A:EC:0C:1C:83 Bridge1
 1 DC 10.10.10.32     90:BA:1A:68:DA:D1 Bridge1
...
...
this means that bridge1 is the broadcast domain where the wake tool should be fired.

Sent from my Redmi Note 5 using Tapatalk

by nostromog
Sun Aug 11, 2019 11:07 am
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 1683

Re: MAP2n as Travel Router Configuration Assistance

Can you have multiple profiles to connect to on wlan1? If so your first idea works for me. The 2nd is great too when I travel for work, but don't always have a laptop otherwise. yes, you write different security profiles and connect list entries. See the manual. I have set up one per wifi, in order...
by nostromog
Sun Aug 11, 2019 7:02 am
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 964

Re: WOL not working after upgrade

:put [/ip arp get [f where mac-address=A0:48:1E:B8:8D:58] interface] This may not work. On hEX routers, it will just show name of the bridge where the interface is connected, not the physical interface. The interface where it appears in arp table is the one that wake command needs Sent from my Redm...
by nostromog
Fri Aug 09, 2019 10:37 am
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 1683

Re: MAP2n as Travel Router Configuration Assistance

Only issue I foresee now is wlan2 not being available unless the Map connects to wlan1 first. Not a problem if I know the SSID ahead of time but won't always be the case. More than likely will disable wlan2 and Daisy chain a Maplite off of it so I can connect to the management interface of the 2n a...
by nostromog
Tue Aug 06, 2019 1:49 pm
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 964

Re: WOL not working after upgrade

I hate upgrades, as always something goes wrong (ofcourse other things might have been wrong previously, hence the need for upgrade) This time WOL stopped working in both 6.44.3 & current 6.45.3 It used to work perfectly fine in my old 6.34.x version I can use Depicus WOL GUI tool (and with setting...
by nostromog
Sat Aug 03, 2019 2:09 pm
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 801

Re: NAT-T flag missing in 6.45.3

I'm not using NAT Traversal. Active-peers doesn't exist the same way in 6.44 due to all the changes between 6.44 and 6.45. NAT-Traversal is not something you "use". NAT Traversal is a technique used when the ipsec-esp protocol cannot establish a connection between two peers; it then encapsulates th...
by nostromog
Sat Aug 03, 2019 1:26 pm
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 801

Re: NAT-T flag missing in 6.45.3

I was just confirming that I don't get the black hole in either direction with 6.44.5
1423 does generate "packet too large".
Are you seeing the "N" (NAT Traversal) flag in both sides when you ask for the active peers? I see it only in the responder and it should be in both sides.
by nostromog
Sat Aug 03, 2019 12:38 pm
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 801

Re: NAT-T flag missing in 6.45.3

The blackhole is making TCP connections impossible unless I trim the MTU in the initiator side. I'd say that this was not happening pre-6.45, but it is hard to remember if I tried to do tcp connections using IPsec this way while running previous releases. I have an IPSec link between two devices on...
by nostromog
Sat Aug 03, 2019 11:56 am
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 801

NAT-T flag missing in 6.45.3

I found a strange problem with the last releases. The initiator side of an IPsec association is not showing NAT-T flag, while the responder does. Also there is a blackhole between 1406-1422 bytes size in the intiator side. This is happening at least in 6.45.1-3, currently both sides run 6.45.3. How ...
by nostromog
Fri Aug 02, 2019 11:34 am
Forum: General
Topic: Block Ping request
Replies: 9
Views: 5341

Re: Block Ping request

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
Of course,
disabled=yes
is a very effective way to make non-working firewall rules :)
by nostromog
Thu Aug 01, 2019 7:30 pm
Forum: RouterBOARD hardware
Topic: RouterBOARD naming
Replies: 47
Views: 24393

Re: RouterBOARD naming

There will be a non-TC (classic MikroTik style) version of hap ac2? Are you aware that the ac^2 can be installed "flat"? i.e. the base has two configurations, the tower one and a desktop one. By the way, I agree that the leds are too difficult to read, in any condition of light. I can barely tell h...
by nostromog
Wed Jul 31, 2019 4:17 am
Forum: Wireless Networking
Topic: How to get signal-strength from wireless card
Replies: 3
Views: 534

Re: How to get signal-strength from wireless card

On the other hand the Keyword "as-value" seems not to be working on mode "ap_bridge" Routeros will not print any returned value unless you ":put" it: # Here "wlan1" is in station mode and "wlan2" in ap-bridge mode /interface wireless {:put ([monitor wlan1 once as-value ]->"signal-strength")} -50 /i...
by nostromog
Wed Jul 24, 2019 3:59 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 35
Views: 2410

Re: help to set ipv6 / 48

ok to recap: in ipv6 address I entered: 2a02: 2f0f: 1c2 :: 1/48 interface bridgeLAN in the routes: ok to recap: in ipv6 address I entered: 2a02: 2f0f: 1c2 :: 1/48 interface bridgeLAN in the routes: # DST-ADDRESS GATEWAY DISTANCE 0 A S ::/0 fe80::1%eth6_WAN 1 1 ADC 2a02:2f0f:1c2::/48 bridge_LAN 0 bu...
by nostromog
Thu Jul 18, 2019 9:57 pm
Forum: General
Topic: rx,tx byte rate in interface menu
Replies: 7
Views: 1365

Re: rx,tx byte rate in interface menu

/interface monitor-traffic LAN once do={:put $"rx-bits-per-second" } How to record this value to the log and let it display like 14.5Mbps, retaining a decimal point. Trying to find the entire forum, many will not work. The syntax of Routeros scripting is designed for easy parsing rather than readab...
by nostromog
Wed Jul 17, 2019 10:26 am
Forum: General
Topic: IPsec doesn't work after upgrade from 6.43.16 to 6.44 and high
Replies: 4
Views: 545

Re: IPsec doesn't work after upgrade from 6.43.16 to 6.44 and high

I've seen here on the forum a case like this, the solution was to export the ipsec configuration into an external text file, remove it on the machine, upgrade the machine and create the ipsec configuration manually again. There was a significant change in the IPsec configuration structure either be...
by nostromog
Fri Jul 05, 2019 8:25 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69369

Re: v6.45.1 [stable] is released!

In order to upgrade ROS, your hAP lite needs at least some 14MB RAM free (possibly even more) and around 1MB hdd free. Both are displayed using command /system resource print (fields free-memory and free-hdd-space respectively). If your RAM is low, try to reboot device (in case there are some proce...
by nostromog
Fri Jul 05, 2019 9:31 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69369

Re: v6.45.1 [stable] is released!

It hangs in some initial script that tries to modify ipsec policies depending on dynamic local ip, it hangs on "/ export" or "/ip ipsec <whatever>". I can't generate a supout because it hangs :( Have you tried to reset the machine to defaults before or better after upgrade to 6.45.1 and then manual...
by nostromog
Wed Jul 03, 2019 7:43 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69369

Re: v6.45.1 [stable] is released!

I upgraded 2 mAP Lite without a single issue, and another old 750GL. Same On the other side, the hAP ac that could not be upgraded/downgraded to 6.44.* or 6.45beta* because it had the 100% looping CPU on ipsec is stil behaving the same. It hangs in some initial script that tries to modify ipsec poli...
by nostromog
Mon Jul 01, 2019 9:07 am
Forum: Wireless Networking
Topic: Number of Wi-Fi connections on hAP mini
Replies: 8
Views: 1130

Re: Number of Wi-Fi connections on hAP mini

So hence the reason I was interested in the hAP range. MikroTik are not that well known in the UK but I was interested when I saw them on Broadbandbuyer. It sounds like the mini is a little under powered but I punted out the £20 and bought one anyway. I've on good terms with the cafe I was talking ...
by nostromog
Wed Jun 26, 2019 10:00 pm
Forum: Wireless Networking
Topic: Number of Wi-Fi connections on hAP mini
Replies: 8
Views: 1130

Re: Number of Wi-Fi connections on hAP mini

Nostomog, could you tell us why "MIPS" is not good to handle encrypted traffic? It is not a problem of handling encrypted traffic, but of doing encryption. the MIPS CPU has only one core, and does not have hardware support for AES encryption. So, if you are terminating encrypted VPNs in your router...
by nostromog
Sat Jun 22, 2019 2:03 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwa...
by nostromog
Fri Jun 21, 2019 5:08 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?
by nostromog
Fri Jun 21, 2019 4:29 pm
Forum: Wireless Networking
Topic: Number of Wi-Fi connections on hAP mini
Replies: 8
Views: 1130

Re: Number of Wi-Fi connections on hAP mini

The main limitation of the hAP mini is its RAM, a bit in the small side with only 32M RAM, which brings one problem that you can search for in the forum: often it is difficult to upgrade, as the upgrade firmware is downloaded in RAM, and depending on your configuration it can get tricky. I have good...
by nostromog
Thu Jun 06, 2019 7:22 pm
Forum: General
Topic: hAP ac² as switch + ap
Replies: 9
Views: 768

Re: hAP ac² as switch + ap

[*] select static ip address or dynamic, as desired It seems like what I want, I'm just not sure if the address you mention here is just to access hAPs configuration or will all wifi clients use this IP to talk with the rest of the network? I want my server to assign each ip. Mikrotik routers are q...
by nostromog
Thu Jun 06, 2019 6:45 pm
Forum: General
Topic: hAP ac² as switch + ap
Replies: 9
Views: 768

Re: hAP ac² as switch + ap

EDIT: I think I was wrong, WISP AP is for a station connection on 5GHz band, use instead Home AP Dual. So there is no hidden NAT on the wlan where in the end every device is presented under the same ip to my server like I've read is the problem with some routers? I think that if you upgrade it, sel...
by nostromog
Tue Jun 04, 2019 1:40 pm
Forum: RouterBOARD hardware
Topic: Cheapest router for home use with 1Gb
Replies: 7
Views: 1109

Re: Cheapest router for home use with 1Gb

https://mikrotik.com/products/compare/RBD52G-5HacD2HnD-TCr2+RB4011iGSplus5HacQ2HnD-IN Those two models have 1GB network interfaces dual band WiFi 4 cores with good performance for firewalling or VPN at high bandwith If you are looking for a cheap solution, I'm quite happy with the hAP ac^2 I have at...
by nostromog
Sat Jun 01, 2019 2:57 pm
Forum: General
Topic: Please add the ability to choose Proposal
Replies: 11
Views: 1360

Re: Please add the ability to choose Proposal

Why is the use-ipsec=yes a bad thing? It is not a bad thing if you just want to protect a connection. What tomaskir said is that if you want to do an "in-depth IPSec config" it is better not to use this parameters and to create the policies for the tunnels yourself. The solution proposed by emils a...
by nostromog
Sat May 25, 2019 7:49 pm
Forum: General
Topic: Download over xDSL, Upload over 4G LTE
Replies: 10
Views: 737

Re: Download over xDSL, Upload over 4G LTE

(...) In the system perspective, you have the router at the site with poor ADSL upload, let's call it the VPN client for simplicity, and the router with good connectivity and public IP address somewhere else - let's call it the VPN server. There are two VPN tunnels established between the two, one ...
by nostromog
Thu May 16, 2019 2:40 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

Hi Mikrotik Are you aware if Router OS is patched for this threat? https://www.tomsguide.com/us/zombieload-attack-intel-what-to-do,news-30082.html I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched h...
by nostromog
Sat May 11, 2019 10:05 pm
Forum: Scripting
Topic: ping time script
Replies: 1
Views: 424

Re: ping time script

It is complicated as the ping command does not offer many options in RouterOS. You could do something like :if ([:ping 1.1.1.1 count=10 interval=90ms]<8) do={:put something} This will execute the do= block if less than 8 out of 10 pings arrive in less than 90ms. You could tune: The number of attempt...
by nostromog
Fri May 10, 2019 5:23 pm
Forum: Scripting
Topic: Routing exeptions for connections from the routers itself
Replies: 7
Views: 583

Re: Routing exeptions for connections from the routers itself

Here's a challenge for the routing experts :-) I have a script that uses the Telegram messenger API to notify about logins, errors, etc. on a router; this is done by "/tool fetch url="https://api.telegram.org/bot...." in a script. Since api.telegram.org is blocked in several countries, I want this ...
by nostromog
Tue May 07, 2019 8:11 pm
Forum: Wireless Networking
Topic: MUM Wireless to Wireless
Replies: 6
Views: 638

Re: MUM Wireless to Wireless

https://mum.mikrotik.com/presentations/NL19/presentation_6878_1556787638.pdf Can somebody explain what this chap is doing in basic terms because i find it very confusing and have no idea of any applications for the magic he described. A wireless interface in routeros can be in several modes. Some s...
by nostromog
Tue May 07, 2019 5:21 pm
Forum: General
Topic: MTU "caching"
Replies: 5
Views: 340

Re: MTU "caching"

Routerboard has a linux kernel version 3 underlying it. I don't really remember if linux was having the same behaviour now than then (a few things around route caching have changed), but the current behaviour is: * linux does path MTU discovery as needed (on receipt of ICMP fragmentation needed mess...
by nostromog
Sun May 05, 2019 6:50 pm
Forum: Scripting
Topic: Power out notification
Replies: 11
Views: 1013

Re: Power out notification

Detecting incoming power failure looks hard to impossible, but one possible way to very quickly/statelessly delivering a message is sending a ping of a specific size to a given server. Use the size of the ping as a "return code". You could simply execute something like: /ping myserver size=666 count...
by nostromog
Sun May 05, 2019 6:00 pm
Forum: Scripting
Topic: Detecting wireless roaming
Replies: 1
Views: 413

Re: Detecting wireless roaming

A tentative solution, the best I could come with: # ensure that registration/dhcp lease are current... do { :local GatewayIP [/ip dhcp-client get [find interface="wan-bridge"] gateway ] :local GatewayMac [/ip arp get [find address=$GatewayIP] mac-address ] :if (([:len [/interface bridge host find ma...
by nostromog
Sat May 04, 2019 5:53 pm
Forum: Useful user articles
Topic: How to opitimize list of IP4 addresses
Replies: 7
Views: 1799

Re: How to opitimize list of IP4 addresses

I think it is not working 100% right. Example. Llet's get all facebook IPv4 address ranges and process them with your program: $ (for orig in AS32934 AS63293 AS54115; do whois -h whois.radb.net -- "-i origin $orig"; done) | grep route: | awk '{print $2}' >facebook4.txt $ gcc -o optimizeip optimizeip...
by nostromog
Wed May 01, 2019 9:38 pm
Forum: Scripting
Topic: Detecting wireless roaming
Replies: 1
Views: 413

Detecting wireless roaming

Hi, I have a problem with a travel router relative to station mode and connect lists I set up a mAP Lite to connect as a station to different wifi APs using a connect list, and bridged it with a virtual AP. /interface wireless security-profiles set [ find default=yes ] group-ciphers="" supplicant-id...
by nostromog
Mon Apr 22, 2019 2:06 pm
Forum: Scripting
Topic: Reading POE status with script
Replies: 5
Views: 707

Re: Reading POE status with script

This works for me:
{
  :local test ([/interface ethernet poe monitor ether5 once as-value ]->"poe-out");
  :put $test
}
It needs once to ensure it finishes, and as-value to return the resulting data structure.
by nostromog
Fri Apr 19, 2019 1:03 am
Forum: General
Topic: IP Cloud
Replies: 37
Views: 8098

Re: IP Cloud

IP Cloud services include: Time-zone detection, that is enabled by default. And fails spectacularly when I'm in London, systematically thinking that I'm in Europe/Tallin: [user@router] > /system clock print time: 00:50:19 date: apr/19/2019 time-zone-autodetect: yes time-zone-name: Europe/Tallinn gm...
by nostromog
Thu Apr 18, 2019 12:32 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures... Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly. I have no switch, I connected them straight, which g...
by nostromog
Tue Apr 16, 2019 11:50 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%? Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export. I'm leaving the place where the machine that failed to upgrade yesterday is in a few hours, not...
by nostromog
Tue Apr 16, 2019 7:06 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration: /ip ipsec peer add exchange-mode=ike2 name=router passive=yes /ip ipsec policy group add name=RoadWa...
by nostromog
Sat Apr 13, 2019 10:16 pm
Forum: Beginner Basics
Topic: Router for my new home!
Replies: 14
Views: 1164

Re: Router for my new home!

Hey mate, Greetings to all. I'm a new member in this community. I hope this is the right place to start my issue here. I need a router for my new home with 3 bedrooms. Which one would be reliable? Thank you so much for your reply. Things to consider: How is the upstream: Mikrotik has some routers t...
by nostromog
Mon Apr 08, 2019 7:45 pm
Forum: Wireless Networking
Topic: hAP ac wireless problem
Replies: 8
Views: 793

Re: hAP ac wireless problem

I bought hAP ac router and don't changed default settings. I have problem with wireless. Every time when I measured speed, on laptop result is about 80Mbps, but on mobile devices show about 50Mbps. Why on mobile devices speed flow is not max? I checked here, with different routers, but I find, in r...
by nostromog
Mon Apr 08, 2019 12:27 pm
Forum: General
Topic: [Feature request] Address List extension
Replies: 11
Views: 970

Re: [Feature request] Address List extension

I wish I knew how to deduplicate it.
When I tried ipv4 it was failing due to a duplicate, but changing sort -> sort -u makes it load. I edited the post. Removing entries that fall "inside"other entries, though, is a non-trivial programming problem.
by nostromog
Sun Apr 07, 2019 10:57 am
Forum: General
Topic: [Feature request] Address List extension
Replies: 11
Views: 970

Re: [Feature request] Address List extension

EDIT: Change sort to sort -u so that no full duplicates remain. How could we use this: whois -h whois.radb.net -- '-i origin AS15169' | grep ^route Which gets every IP address range Google uses Into a Mikrotik address list? Those two give separate raw prefix lists, one for IPv4 and another for IPv6...
by nostromog
Fri Apr 05, 2019 2:12 pm
Forum: General
Topic: IPv6 connection attempts on port 35211
Replies: 0
Views: 222

IPv6 connection attempts on port 35211

I'm seeing connection attempts from a growing number of IPv6 addresses to port 35211, both UDP and TCP SYN packets. The connections target sometimes existing addresses but sometimes non-existing internal IPv6 addresses, so I'm not sure if it is an attempt to use me for distributed DoS... I'm using a...
by nostromog
Fri Apr 05, 2019 1:32 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 39992

Re: UKNOF 43 CVE

@pe1chl, question: in your setup externally initiated ipv6 traffic is disallowed right? Yes, externally initiated IPv6 traffic to random addresses is disallowed. I added this when NDP exhaustion attacks were discussed. Due to the address list, only systems that have initiated outbound traffic (with...
by nostromog
Fri Apr 05, 2019 2:05 am
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 425
Views: 144155

Re: Tik App, MikroTik android utility ALPHA test

Just wanted to chime in that the APP is working great ---> Router accessed remotely via IKEv2 connection to get to the router and then access APP once internal to the router. Fully agreed, last versions are good! One nit: I have a mAL Lite as Travel Router, and it has the main wireless interface in...
by nostromog
Wed Apr 03, 2019 4:35 pm
Forum: Scripting
Topic: Write IP to log
Replies: 4
Views: 405

Re: Write IP to log

Hi, Thanks a lot but unfortunately it isn't working. I even put a delay of 45s but no luck :-( #Get Ip And Save it To "RFC_WAN_IP.txt" File In Mikrotik /tool fetch url="http://myip.dnsomatic.com/RFC_WAN_IP.txt" mode=http delay 45s #Save Ip From "RFC_WAN_IP.txt" File To "MyVar" Variable :local myvar...
by nostromog
Sun Mar 31, 2019 9:46 pm
Forum: General
Topic: PPPoE server IP conflict
Replies: 3
Views: 308

Re: PPPoE server IP conflict

My big trouble was: The PPPoE server gave a IP (from pool) to a client that is in use for another client (that have remote address with static IP). On PPP Active Connections have showed 2 clients with same IP. 1) Is that a BUG on RouterOS or does it do this as a feature? My guess is that the remote...
by nostromog
Sat Mar 30, 2019 5:53 pm
Forum: General
Topic: dial-on-demand and /ipv6 settings accept-router-advertisements
Replies: 0
Views: 234

dial-on-demand and /ipv6 settings accept-router-advertisements

I wonder what might be the relation between those two settings, apparently fully unrelated but I have a number of on-demand connection here that stopped to work as soon as I changed the setting from the default value of "yes-if-forwarding-disabled" to "yes", and started working again when I went bac...
by nostromog
Sat Mar 30, 2019 9:19 am
Forum: General
Topic: How to filter internal traffic.
Replies: 3
Views: 322

Re: How to filter internal traffic.

Hi, Is it possible to filter internal traffic? Example - My network ID - 192.168.3.0 HOST A - 192.168.3.10 HOST B - 192.168.3.20 HOST B is listening to pot 22. Now, I want to block HOST A (192.168.3.10) to access HOST B (192.168.3.20) with port 22. Thanks.. I'm not sure if you mean the feature of W...
by nostromog
Fri Mar 29, 2019 1:06 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 503

Re: ikev2 mikrotik to mikrotik strange behaviour

It is precisely this rule that causes the problem. If I disable it, no packet loss, if I enable it, packet loss ~ 40-60% [admin@MikroTik] > /ip firewall filter print where action=fasttrack-connection Flags: X - disabled, I - invalid, D - dynamic 0 X ;;; defconf: fasttrack chain=forward action=fasttr...
by nostromog
Fri Mar 29, 2019 10:34 am
Forum: General
Topic: DHCP keeps broadcasting and can not stop it!
Replies: 5
Views: 945

Re: DHCP keeps broadcasting and can not stop it!

Check the status of /interface detect-internet print

For each interface to be checked it will send a dhcp discover packet per second to peep if it is a lan (it considers lan an interface where a dhcp-server exists).
by nostromog
Thu Mar 28, 2019 8:14 pm
Forum: Wireless Networking
Topic: Home glamourous Mesh Wi-Fi?
Replies: 2
Views: 612

Re: Home glamourous Mesh Wi-Fi?

by nostromog
Thu Mar 28, 2019 7:54 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 503

Re: ikev2 mikrotik to mikrotik strange behaviour

Must be caused by FastTrack. Exclude the traffic subject for IPsec processing from being FastTracked in firewall's forward chain by adding accept rules before the action=fasttrack-connection rule. I'm not sure how to exclude this traffic. I already have firewall rules (this is the beginning of /ip ...
by nostromog
Thu Mar 28, 2019 2:00 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 503

Re: ikev2 mikrotik to mikrotik strange behaviour

Sounds very weird. I would try to locate the issue more precisely with packet sniffer. Ping is bidirectional traffic. With packet sniffer you could verify whether the packet is at least received on the other end. Also verify ESP or UDP/4500 packets are properly sent out and received. Just setting /...
by nostromog
Thu Mar 28, 2019 12:38 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 503

Re: ikev2 mikrotik to mikrotik strange behaviour

What model routers are involved? Is hardware offloading used? Do you see anything suspicious under IPsec statistics? The server is a hAP ac, running 6.44.1. For what I know it does not support hardware offloading. It is in a PPPOE based ISP. Under IPsec statistics there are a few non-zero items, bu...
by nostromog
Wed Mar 27, 2019 6:50 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 503

ikev2 mikrotik to mikrotik strange behaviour

I have set up a ikev2 network between mikrotiks, like this. The server has two networks, one local 192.168.88.0/254 and one for the current vpn: 192.168.89.0/24. I'm setting a new VPN (192.168.90.0/24) and want it to be used to access all three networks, In the server, this is the result of /ip ipse...
by nostromog
Tue Mar 26, 2019 8:08 pm
Forum: Beginner Basics
Topic: How to remove the static switch from this setup ?
Replies: 16
Views: 625

Re: How to remove the static switch from this setup ?

connect isp utp directly to Mikrotik ether1 connect your home router to etherXX (any open port) create a new bridge make ether1 and etherXX part of that bridge. Done You will also have to substitute the new bridge name in the WAN interface list, and anywhere else that ether1 appears. For instance, ...
by nostromog
Thu Mar 21, 2019 10:32 am
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 425
Views: 144155

Re: Tik App, MikroTik android utility ALPHA test

Well the above posters already gave a hint. You have joined a private beta program and installed that invite-only version. You should delete it, delete the "TestFlight" app which manages the Beta programs, and then install the application that is meant for everyone (the one in the AppStore). Probab...
by nostromog
Wed Mar 20, 2019 1:09 pm
Forum: General
Topic: IP IPsec Package missing in router
Replies: 3
Views: 437

Re: IP IPsec Package missing in router

/ip ipsec export --- hangs the router console terminal session. @Mikrotik support, what could be the issue. I had the same thing happening in a machine 100% CPU and unable IPsec. See 6.44 thread. Only solution I found was disable security, reset+restore from backup, re-enable security Sent from my ...
by nostromog
Tue Mar 19, 2019 11:12 pm
Forum: General
Topic: How to replicate home WiFi while staying in a hotel (VPN, capsman)?
Replies: 1
Views: 303

Re: How to replicate home WiFi while staying in a hotel (VPN, capsman)?

It is possible, but in the general case it is very tricky. I'm building myself a travel router with a mAP Lite, mostly following the ideas from Lorenzo Bussatti ( https://www.youtube.com/watch?v=VeZetH9uX_Y ). I have it mostly working with a few VPN networks dialled on demand to route private ranges...
by nostromog
Mon Mar 18, 2019 8:24 am
Forum: General
Topic: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]
Replies: 11
Views: 792

Re: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]

If the ISP uses SLAAC on the point to point link between you and them then there is a setting that allows the router to get an address that way. I believe it is global though. Makes your device behave like a client as in IPv6 those are the devices that should react to other routers RAs. They "shoul...
by nostromog
Sun Mar 17, 2019 7:21 pm
Forum: Beginner Basics
Topic: Recommend way to block Ads with Mikrotik
Replies: 9
Views: 3277

Re: Recommend way to block Ads with Mikrotik

Hello, are you using Mikrotik to block ads? I know there is i.e. Pi-hole but I'm afraid pages loading will work slower if there will be requests to raspberry. I made some tests with a pi-hole running with docker in my laptop and I don't think any slowing will be significant. But I don't have a plac...
by nostromog
Sat Mar 16, 2019 11:35 pm
Forum: General
Topic: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]
Replies: 11
Views: 792

Re: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]

My provider gives a /56 per client, using prefix delegation. All I had to do is to add a ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=mypool request=prefix to get the /56. If it does not work with your provider, try "request=address" After you get a prefix you can get your o...
by nostromog
Sat Mar 16, 2019 10:39 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18484

Re: v6.44.1 [stable] is released!

FYI The 4th machine that I upgraded to 6.44.1 (from 6.44) started to show 100% CPU (profiled to be in ipsec) and would not respond to "/ export" or even "/ip ipsec remote-peers print". I could disable security and reboot and it was working, but without access to the disabled configuration, re-enabli...
by nostromog
Fri Mar 15, 2019 8:25 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18484

Re: v6.44.1 [stable] is released!

What for *) winbox - added "use-local-address" parameter in "IP/Cloud" menu; What I have seen I'd it means that IP/Cloud will expose your internal addresses in DNS. If you have a router inside your company that got 192.168.88.206 this will be the addresse it will return where will return? Sent from...
by nostromog
Thu Mar 14, 2019 11:02 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18484

Re: v6.44.1 [stable] is released!

What for *) winbox - added "use-local-address" parameter in "IP/Cloud" menu; What I have seen I'd it means that IP/Cloud will expose your internal addresses in DNS. If you have a router inside your company that got 192.168.88.206 this will be the addresse it will return Sent from my Redmi Note 5 us...
by nostromog
Thu Mar 14, 2019 4:19 pm
Forum: General
Topic: problems with import .rsc files on mAP Lite
Replies: 4
Views: 329

Re: problems with import .rsc files on mAP Lite

Hi all, I wanted to export the configuration of my mAP lite in a *.rsc and import it after a reset of the device, but it doesn´t work. The device gets in some status it doesn´t work any more and a have to hard reset it via reset button. I had the same problem, caused by a Certificate for a VPN: it ...
by nostromog
Wed Mar 13, 2019 6:41 pm
Forum: Scripting
Topic: Useful scripts
Replies: 52
Views: 91755

Re: Useful scripts

However, the script would have to run every 10 seconds... Is there another way to have the firewall rule trigger a script? I don't think so. There are a few places where scripts can be triggered in response to events: in /ppp profile (on-up, on-down), useful for all ppp-based interfaces (pptp, l2tp...
by nostromog
Wed Mar 13, 2019 9:45 am
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 941

Re: How to really make backups (by script) ?

Use export. Upload export.rsc. Do /system reset-configuration no-defaults=yes run-after-reset=export.rsc. This will reset device without default values and import the new settings. Don't forget to backup certificates and keys, if you have VPN server/client definitions. Also files if you have a cust...
by nostromog
Mon Mar 11, 2019 4:37 pm
Forum: Forwarding Protocols
Topic: PPTP problem - empty winbox [SOLVED]
Replies: 7
Views: 965

Re: PPTP problem - empty winbox [SOLVED]

Ensure that your firewall is allowing GRE related connections. If you don't it will not work

Enviado desde mi Redmi Note 5 mediante Tapatalk


by nostromog
Fri Mar 08, 2019 9:58 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36179

Re: v6.44 [stable] is released!

I still do not get what really is this new power line. If you compare this https://i.mt.lv/cdn/rb_files/mAP_lite-180606124033.png (the block diagram of a mAP Lite with this https://i.mt.lv/cdn/rb_files/PL7411-2nD-181218095520.png you will see that what they have presented is a power supply that tur...
by nostromog
Fri Mar 08, 2019 2:31 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 36179

Re: v6.44 [stable] is released!

Interface for new PWR line adapter comming next months.
hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port.
Also the mAP Lite 2nd (at least mine, revision r2. I'm not sure about older ones)

I just bought a few and they came with this surprise. :)
by nostromog
Fri Mar 08, 2019 8:18 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 830

Re: ARP/DHCP issue [SOLVED]

When a host behind a NAT wants to reach an Internet address, how does that work? Does it do an ARP request or does it send the packets straight to the gateway since it already assumes the address not to be on the same L2 network? There are two kind of routes in the IP protocol: interface routes (or...
by nostromog
Fri Mar 08, 2019 8:01 am
Forum: General
Topic: Wireless Recommendation Wanted
Replies: 7
Views: 430

Re: Wireless Recommendation Wanted

The cAP AC and the hAP ac² are the best. The hAP has 5 ports if you need them. These units are not outdoor rated, if you need that you'll need to consider the wAP AC. Do you think inside an RV type environment would be considered "outside"? It would be protected from rain and dust, but would have l...
by nostromog
Wed Mar 06, 2019 1:53 am
Forum: General
Topic: dynamic ip in a dst-nat rule
Replies: 5
Views: 272

Re: dynamic ip in a dst-nat rule

Question is if I somehow can say to the dst-address in the NAT rule "use the address you got assigned on ether1" ? In a separate thread somewhere around I read that one way would be: * activate /ip cloud set ddns-enabled=yes update-time=no (for time it is better to use ntp) * create a mypublicip fi...
by nostromog
Tue Mar 05, 2019 8:16 pm
Forum: General
Topic: DHCPv6 Prefix Request Response not happening. How to Trace Debug?
Replies: 9
Views: 667

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

This worked for my provider: /ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=mypool \ pool-prefix-length=60 request=prefix And the dhcp client will create a dynamic /ipv6 pool that will deliver /60 networks. ether1 is the connection to my provider. I also address my local netw...
by nostromog
Fri Mar 01, 2019 11:20 pm
Forum: Beginner Basics
Topic: DHCP Server Issues
Replies: 26
Views: 1501

Re: DHCP Server Issues

/interface detect-internet snoops and sets up dynamic dhcp-server in interfaces. This might be confusing some computers.

If you have it configured and you are not using it, which usually only is worth in very dynamic situations, you might disable it to see if it helps.
by nostromog
Wed Feb 27, 2019 10:18 pm
Forum: Beginner Basics
Topic: VPN
Replies: 1
Views: 241

Re: VPN

Sirs, good morning! I wonder if it is possible to leave mikrotik with two VPN configurations, one pptp and another l2tp, both active and functional. * Do you mean as a server? The answer is yes. Additionally, the users can remain the same. I migrated PPTP -> L2TP/IPsec very easily: - ensure /ppp se...
by nostromog
Wed Feb 27, 2019 1:00 pm
Forum: Scripting
Topic: ReNumber ip address via script ?
Replies: 2
Views: 292

Re: ReNumber ip address via script ?

It is tricky. I would do "/ export file=config-..." for all of them, or at least the main types, and get the files via scp or ftp. Then you can look at the places that need renumbering. I don't use ospf, but I'd still need to change things in a lot of submenus: /ip pool, /ppp profile, /ip address, /...
by nostromog
Wed Feb 27, 2019 11:57 am
Forum: General
Topic: Exclude guest network from fasttrack to limit its bandwidth with simple queue - possible? [SOLVED]
Replies: 5
Views: 670

Re: Exclude guest network from fasttrack to limit its bandwidth with simple queue - possible? [SOLVED]

It is possible that the confusion has arisen because the accept=established,related,untracked works with long term connections, so when you make changes you need to wait for existing connections to end, or else remove them (which will cause a storm of invalid packets...) You can watch the existing c...
by nostromog
Wed Feb 27, 2019 11:06 am
Forum: Beginner Basics
Topic: SSL/SSH/WINBOX to router not working using the ipv6 address
Replies: 1
Views: 241

Re: SSL/SSH/WINBOX to router not working using the ipv6 address

Edit my own typo /7 -> /8 Hi, you have some typos in your firewall rules. Multicast addresses are ff00::/8, and link-local ff80::/10 (twice, in the address-list and in the multicast rule. See https://www.ripe.net/participate/member-support/lir-basics/ipv6_reference_card.pdf Change as /ipv6 firewall...
by nostromog
Tue Feb 26, 2019 1:24 am
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 799

Re: IPv6 routing with several interfaces [SOLVED]

To solve (sort of) my own question, in case anyone finds it useful: I revisited the issue in a more realistic case where I got two different /64 addresses in office routers: * a nnaa:ttii:vvee:main::/64 comes from the native pool, and I use it as /ipv6 address add address=::1 from-pool=wlan interfac...
by nostromog
Fri Feb 22, 2019 12:11 am
Forum: Beginner Basics
Topic: Firewall Rule for Remote Connection (ts)
Replies: 4
Views: 386

Re: Firewall Rule for Remote Connection (ts)

For ssh connections I'm doing this once per hour: do { :foreach mess in=[/log find where message~"failure.*via ssh" ] do={ :local tim [/log get $mess time]; :local line [/log get $mess message]; :local fr [:find $line "from "]; :local addr [:pick $line ($fr+5) [:find $line " via"]]; :local usr [:pic...
by nostromog
Thu Feb 21, 2019 12:39 pm
Forum: Beginner Basics
Topic: L2TP/IPsec connection without sharing internet [SOLVED]
Replies: 5
Views: 453

Re: L2TP/IPsec connection without sharing internet [SOLVED]

Hi All I configured our RB931 to connect to a remote L2TP server, which works fine, but I would prefer if all internet traffic did not go across the tunnel as well. I remember on Windows there was an option to unselect (something about remote gateway). How would I do this on our Mikrotik? Thanks, R...
by nostromog
Sat Feb 16, 2019 1:53 am
Forum: General
Topic: IP Cloud
Replies: 37
Views: 8098

Re: IP Cloud

IP Cloud is made so that it does not pose a security threat. It will assign FQDN to IP address of your router. In RouterOS 6.43 or newer - it will have both A and Quad A entry maintained by the router (if both v4 and v6 connections can reach our backend). There is a clear problem not being able to ...
by nostromog
Mon Feb 11, 2019 11:28 am
Forum: General
Topic: RouterOS 6.7 - /queue monitor show zeroes
Replies: 1
Views: 899

Re: RouterOS 6.7 - /queue monitor show zeroes

With
/queue monitor
I'm also seeing zero values, when there are simple queues and they are in use and dropping packets occasionally.

Also, I can't find any documentation on this option. Is
/queue monitor
a residual from old versions? something not (yet) implemented?

Thanks
by nostromog
Thu Feb 07, 2019 10:38 am
Forum: Beginner Basics
Topic: New Hap AC2 setup. Couple of questions/problems
Replies: 3
Views: 1012

Re: New Hap AC2 setup. Couple of questions/problems

Your configuration looks ok. I would check cabling issues in the ethernet lan side. You can check the status in the Mikrotik with something like this (it is from a hAP ac, slightly different as it has the sfp1 port: [admin@MikroTik] > /interface ethernet monitor [find] name: ether1 ether2 ether3 eth...
by nostromog
Sat Feb 02, 2019 9:57 am
Forum: General
Topic: Need Assistance with Syntax
Replies: 4
Views: 396

Re: Need Assistance with Syntax

I thinks this should work /ip dhcp-server lease print where !dynamic and !disabled and !(comment~"disregard") I prefer it to: ip dhcp-server lease print where !(dynamic) && !(disabled) && !(comment~"disregard") For some reason the regex matching operator "~" requires parenthesis when negated. Priori...
by nostromog
Sat Feb 02, 2019 4:44 am
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1391

Re: High number of established connections for one address

What is the use-case here of opening a ssh session and letting it sit for 30 minutes with NO data flowing in either direction? The established timeout is after last packet sent... Edit: actually that would even be a security issue! My use cases for this are: the boss interrupting me for half an hou...
by nostromog
Thu Jan 31, 2019 3:41 pm
Forum: General
Topic: Problem with arp
Replies: 0
Views: 362

Problem with arp

I had yesterday a sudden, unexpected outage in a small Mikrotik router I'm using for internet temporarily. At the moment I had little firewall protection as it was a quick experiment that lasted a bit more than expected, now I have taken care of it. The setup is: * I'm running Router OS 6.43.8, a qu...
by nostromog
Sun Jan 27, 2019 4:15 pm
Forum: General
Topic: a clear configuration L2TP server on a Mikrotik router
Replies: 6
Views: 1247

Re: a clear configuration L2TP server on a Mikrotik router

Here is how to do it for iOS and Windows 10. Note, that the Windows 10 profile needs to be created via command line to get AES256 support. I don't have experience with Android, but generally speaking, if you can't connect you'll need to use hash-algorithm=sha1 and other less secure methods (not rec...
by nostromog
Tue Jan 01, 2019 1:42 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 28
Views: 2848

Re: Why (not) use Hairpin NAT

It is a balance between requirements. Even for a small company dealing with around 30 identities it is tricky and sometimes impossible to force all people to use our internal DNS, as there are different use cases: cloud servers connecting to server through VPN need stable addressing road warriors te...
by nostromog
Thu Dec 13, 2018 1:03 am
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 799

IPv6 routing with several interfaces [SOLVED]

I have a router in one provider who didn't read RFC 6177 and thus assigns my MikroTik router 1 (YES, I said ONE) IPv6 in ether1, using DHCPv6. It also tells me gently to set up a default router to this interface. They also block protocol 41, because they don't want my life to be too easy. To be able...
by nostromog
Tue Dec 11, 2018 2:04 pm
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 7
Views: 2050

Re: ikev2 ports [SOLVED]

Okay, 50% of mystery solved :) Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain? IPsec works as follow: * IKE (Internet Key Exchange) protocol is used to set up a security association (SA) by agreeing in short term crypto parameters. IKE requires UDP ...
by nostromog
Wed Dec 05, 2018 11:59 am
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 12243

Re: v6.43.7 [stable] is released!

My data point. I updated 2.5 routers (.5 is the testing one, an hAP ac lite, and 2 production hAP ac). Two small offices with some tunneling and a VPN stuff. Everything seems to work ok after a few hours, nothing happened re: configuration changes, etc. Really smooth. It looks slightly more performa...
by nostromog
Mon Dec 03, 2018 12:09 pm
Forum: General
Topic: How are hardware ports associated with names
Replies: 5
Views: 609

Re: How are hardware ports associated with names

As for the confusion between user-assigned interface names and the original names, here's what can help you: foreach ifid in=[interface find where default-name~"."] do={put ([/interface get $ifid name]." is a user-defined alias of ".[interface get $ifid default-name])} Slightly changed you can prin...
by nostromog
Thu Nov 29, 2018 2:05 pm
Forum: Wireless Networking
Topic: WAP with IPv6
Replies: 8
Views: 783

Re: WAP with IPv6

I have already tried this example but I don't have LLA on the required interface wlan1 as described in the example: "We also have link local address on the interface which is created automatically for every IPv6 capable interface." Does it mean that my wlan1 interface as well as both ether1 and eth...
by nostromog
Wed Oct 17, 2018 1:44 pm
Forum: General
Topic: ROS 6.43.2 export config BUG
Replies: 3
Views: 356

Re: ROS 6.43.2 export config BUG

I found another bug that could quality as a security problem: [admin@MyMikroTik] > /interface 6to4 export hide-sensitive # oct/17/2018 12:40:30 by RouterOS 6.43.2 # software id = 07CG-QIMK # # model = RouterBOARD 962UiGS-5HacT2HnT # serial number = NNNNA123NNN /interface 6to4 add ipsec-secret=REALLY...
by nostromog
Sun Oct 14, 2018 8:23 pm
Forum: General
Topic: Silly feature request
Replies: 0
Views: 268

Silly feature request

For home or SOHO users it might be nice to have: * a new type of /system logging action, something like "led" * a new type of firewall action (or maybe a led parameter), so that a firewall rule would trigger... * a new type of led type, sys-alert So I could have the red led in the routers blinking f...
by nostromog
Thu Oct 11, 2018 12:15 am
Forum: Beginner Basics
Topic: Proper model and settings for small ofice
Replies: 4
Views: 344

Re: Proper model and settings for small ofice

... a suitable Microtik model to combine 2 vendors, as there is often no connection with the current vendor. We did something similar (but for load balance) recently, in an office a bit bigger than yours and IT, so with heavy use things such as git or docker images... The office has 1 server and 4 ...
by nostromog
Wed Oct 10, 2018 10:27 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 1163

Re: Problem with 6to4 inside PPPoE [SOLVED]

Solved!

I no longer need workarounds, and can confirm that for me HE tunnels work allright:

after a firmware upgrade of my HGU from _n43 to _n53 now myHE tunnel works like a charm!
by nostromog
Wed Oct 10, 2018 3:48 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 1163

Re: Problem with 6to4 inside PPPoE [SOLVED]

Why you don't want to make HE tunnel mtu lower than pppoe tunnel mtu? Where have you got the idea that I don't want? When PPPoE tunnel MTU is 1492, 6to4 tunnel MTU is 1472, 20 bytes smaller when PPPoE tunnel MTU is 1480 (what MikroTik negotiates), 6to4 tunnel MTU is 1460... 20 bytes smaller again a...
by nostromog
Wed Oct 10, 2018 11:10 am
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 1163

Re: Problem with 6to4 inside PPPoE [SOLVED]

So what MTU do you have on the 6to4 after all? And in the HE cabinet? Yesterday night I made the final test: I patched rp-pppoe code so that it would accept packets with the wrong length at header field and run PPPoE + HE 6to4 tunnel in my laptop. $ git clone git@github.com:Distrotech/rp-pppoe.git ...
by nostromog
Wed Oct 10, 2018 1:42 am
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 1163

Re: Problem with 6to4 inside PPPoE [SOLVED]

But I have tried auto, 1500 (upping my L2 MTU), 1492, 1488, 1480 (which is the one that gets selected when I say "auto"). PPPoE default is 1492, 6to4 substracts 20 (that is why “auto” is 1480=1500-20), so you should at least try 1472. And specify it on both ends - yours and in HE settings as well. ...
by nostromog
Tue Oct 09, 2018 4:58 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 1163

Re: Problem with 6to4 inside PPPoE [SOLVED]

Why you using ethernet interface for pppoe traffic, when your transport is ISP vlan? If you meant that in your ISP infra exists vlan, you don't need worry about it, cause ISP had to pop up his l2 mtu on all his switches. VLANs are only visible in the "outer" side, when I mirror the fibre into one o...
by nostromog
Tue Oct 09, 2018 2:05 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 1163

Re: Problem with 6to4 inside PPPoE [SOLVED]

There it is, I edited the tunnel endpoints and I'm not posting the addresses/routes or serial numbers. BTW, /interface 6to4 export hide-sensitive does NOT hide the "ipsec-secret" attribute that I have in a different, ipsec protected, 6to4 tunnel that works perfectly. :) As I said, ICMP, UDP and TCP ...
by nostromog
Mon Oct 08, 2018 7:28 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 1163

Problem with 6to4 inside PPPoE [SOLVED]

I have had a long nightmare trying to connect my machine to Hurricane Electric tunnelbroker. Now it is no longer a nightmare, at least I know the problem, even if I have not yet found a solution. Context: * My provider, Telefonica/Movistar, dominant operator in Spain, is well known for its neglect t...
by nostromog
Sun Sep 23, 2018 6:27 pm
Forum: Scripting
Topic: "No such item (4)" while counting connections
Replies: 11
Views: 1055

Re: "No such item (4)" while counting connections

I think using
:set result [:len [/ip firewall connection find where dst-address~":80"]]
is cleaner. And in my experience, for some arcane reason, avoids the non-atomic list traversal.
by nostromog
Sun Sep 23, 2018 11:35 am
Forum: Beginner Basics
Topic: Router connections
Replies: 5
Views: 622

Re: Router connections

TIME-WAIT is one of the states through which the TCP protocol state machine models its connections

This is a reasonable explanation of it: https://community.apigee.com/articles/7 ... ained.html
by nostromog
Wed Sep 19, 2018 1:07 am
Forum: General
Topic: NAT out over multiple IPs
Replies: 2
Views: 292

Re: NAT out over multiple IPs

This was working for me (with two addresses only): https://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade The idea is to send packets starting connections, be them forwarded or originated locally, randomly through the N addresses, and to mark for use of the same IP packets received from ...
by nostromog
Tue Sep 18, 2018 5:31 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 1135

Re: Port 60000 attacks, anyone info on this?

I'm seeing them too. From two different routers: [admin@MikroTik] > /log print count-only where message~":60000->" 6 and [admin@MikroTik] > /log print count-only where message~":60000->" 14 They are stealth in the sense that they avoid typical blacklisting attempts; just a few contacts per hour comi...
by nostromog
Mon Sep 17, 2018 8:37 pm
Forum: Beginner Basics
Topic: How to configure VPN on my Microtik?
Replies: 2
Views: 557

Re: How to configure VPN on my Microtik?

You need to know the technology of your provider. RouterOS offers you # L2TP client /interface l2tp-client add name="my-provider" connect-to="ip" user="myusername" password="mypassword" # Open VPN client /interface ovpn-client add... #same options # SSTP client /interface sstp-client add... #same op...
by nostromog
Fri Sep 14, 2018 1:06 am
Forum: Scripting
Topic: Parser bug
Replies: 1
Views: 300

Parser bug

While trying to code a small script I found a problem with "=" in associative arrays: [admin@MikroTik] > :put ({"a"."b"=1;"b"."a"=2;"ab"=3}); false;false;ab=3 Basically, in an array, if the key is not a literal, the equal sign is taken as a comparison operator and it is impossible to use. My use cas...
by nostromog
Tue Sep 11, 2018 5:25 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 28728

Re: v6.43 [current] is released!

I upgraded one hAPac to 6.43 about 27 hours ago, everything is working well as far as I can tell. I'll upgrade our other machines during the weekend. The machine I upgraded was the one running 6.43rc64 before (never got time to test the last rc). it looks much faster now, but I guess rc are built wi...
by nostromog
Sat Sep 08, 2018 3:19 am
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 39
Views: 2319

Re: [SOLVED] IPv6 pings work, webpage won't load

Yes, my router is the client. I have experimented with those values, but everything is consistent and ipv4 works like a charm. From linux I can ping ipv6.tunnelbroker.net with up to 1360 bytes, ipv6.google.com up to 1232 bytes, more than this (no upper limit) is a blackhole for both: Have you tried...
by nostromog
Sat Sep 08, 2018 2:59 am
Forum: General
Topic: iPhone tethering to Mikrotik?
Replies: 12
Views: 5427

Re: iPhone tethering to Mikrotik?

I have tried USB tethering with an android phone, and it works well:

* Connect the phone to the RB, it will be seen as lte1
* Go the Tethering and select USB tethering

I tried it with a phone that was connected to a different wifi that the router, and alsoe using the SIM, and worked well.
by nostromog
Wed Aug 29, 2018 12:08 am
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 39
Views: 2319

Re: [SOLVED] IPv6 pings work, webpage won't load

Does not make any difference, I tried all the combinations of values. Additionally I restricted all MTUs (of both the 6to4 and their side) to 1280 as they instruct to do, or left me/them as 1480, 1472, 1460, 1452... Always the same behaviour. I'm a bit lost. I tried the mangle rules, but no change....
by nostromog
Tue Aug 28, 2018 7:25 pm
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 39
Views: 2319

Re: [SOLVED] IPv6 pings work, webpage won't load

mducharme If using HE tunnelbroker over PPPoE you need to lower the MTU on the tunnelbroker side, the default on their end is 1480 which is too big if you have PPPoE overhead. If your PPPoE is 1480, decrease that setting to 1460, and then it should be OK. It is done through their web interface under...
by nostromog
Mon Aug 27, 2018 6:09 pm
Forum: General
Topic: pppoe-out connection
Replies: 13
Views: 968

Re: pppoe-out connection

One way to force script execution when a connection changes state is to use the on-up / on-down attributes of the /ppp profiles. So you could have something like: /interface pppoe-client add add-default-route=yes disabled=no interface=ether1 max-mru=1500 max-mtu=1500 mrru=1614 name=pppoe-out1 passwo...
by nostromog
Mon Aug 27, 2018 2:24 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 30892

Re: v6.42.7 [current] is released!

I upgraded during the weekend 1 hap ac (from 6.42.6) and 1 751G-2HnD (from 6.42.5 firmware 6.42.4, as I had forgotten one reboot). No problem in any of both.

In both I changed to "disable-pmkid=yes". No problem with wifi has been reported (and I warned the people in advance).
by nostromog
Sat Aug 25, 2018 3:24 am
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 39
Views: 2319

Re: [SOLVED] IPv6 pings work, webpage won't load

I have pretty much the same problem, in my case ipv6 is a 6to4 tunnel inside a pppoe interface. Could the problem be coming from some "inherit" in do-not-fragment that makes that the ipv4 tunnel drops the ipv6 big packet, and thus the ipv6 stack never sees the error? (wild guess)
by nostromog
Mon Aug 20, 2018 7:58 pm
Forum: Scripting
Topic: Blacklisting seems popular, honeypot made simple
Replies: 12
Views: 2242

Re: Blacklisting seems popular, honeypot made simple

I wrote a small combination of white/blacklist, download and parsing of the dshield 20 top attackers lists (which I download every hour with a timeout of 1w, so it keeps growing but not beyond ~60 hosts) and fail2ban for failed ssh attempts. The combo is mostly lightweight, like yours, and is droppi...
by nostromog
Sat Aug 18, 2018 5:44 pm
Forum: Beginner Basics
Topic: Does hairping NAT works from target to itself?
Replies: 1
Views: 278

Does hairping NAT works from target to itself?

I have a setup with hairpin, and for simplicity I want to be able to test from the destination machine itself. I have router public ip<--------------------target ip target router ip-------------------->target ip router ip<--------------------target ip public ip-------------------->target ip It is no...
by nostromog
Thu Aug 16, 2018 10:54 pm
Forum: General
Topic: Scripting assistant for dummies.
Replies: 1
Views: 366

Re: Scripting assistant for dummies.

I got a lot of information from the export command. Once you have the router configured, you do / export file="config-<loc>-2018-08-16-01" And later scp admin@192.168.88.1:config-<loc>-2018-08-16-01.rsc ~/router/configs/ The name is designed so that you can have several router histories of configura...
by nostromog
Thu Aug 16, 2018 8:29 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 29635

Re: v6.42.6 [current]

Problem with 6.42.6 and 6.43rc51 We have 3 routers, one running 6.42.5, one 6.42.6 and the third one got 6.43rc51 while trying to solve some problems and stood there for the moment. Now, in the one with 6.42.5 /system history print works perfectly, but in the other two it produces the same output: ...
by nostromog
Tue Aug 14, 2018 10:36 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 29635

Re: v6.42.6 [current]

Problem with 6.42.6 and 6.43rc51 We have 3 routers, one running 6.42.5, one 6.42.6 and the third one got 6.43rc51 while trying to solve some problems and stood there for the moment. Now, in the one with 6.42.5 /system history print works perfectly, but in the other two it produces the same output: [...
by nostromog
Sat Aug 04, 2018 8:54 am
Forum: General
Topic: Routing/arp problem [solved]
Replies: 2
Views: 967

Re: Routing/arp problem [solved]

After carefully discarding all the rest, I found what was the deep cause of it. I'm explaining here to help others: In my original I simplified my exposition of the problem to avoid swamping you with data. We really have dual up-streams here, and I was using the solution Dual WAN Load-Balancing with...
by nostromog
Wed Aug 01, 2018 2:23 pm
Forum: General
Topic: Routing/arp problem [solved]
Replies: 2
Views: 967

Routing/arp problem [solved]

I have a relatively standard Mikrotik setup where the VPN connections appear as <l2tp-user> interfaces, with <vpn-address>/32 <router-vpn-address>. The internal machines are in a bridge ether3-ether5, with the upstream directly connected in ether1. I'm not sure if my problems started with some confi...
by nostromog
Sat Jul 21, 2018 8:38 pm
Forum: General
Topic: Did recent updates break Path MTU discovery ?
Replies: 1
Views: 605

Re: Did recent updates break Path MTU discovery ?

I seem to be seeing a very similar behaviour: * we bought a new router, same model than another of our four ones, and I'm experimenting with ipv6 on it using tunnels * one of the old models, whose configuration has not been changed recently, has PPPoE as upstream, another one is natted under a PPPoE...
by nostromog
Sat Jul 21, 2018 9:48 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 29635

Re: v6.42.6 [current] Problem with ipv6

privileges IPv6 for some reason. So, when I reboot and get a new dynamic IPv4, my IPv6 needs to be told about it, but I can't because only IPv6 resolver works and I have no IPv6: [admin@MikroTikToledo] > :put [resolve www.google.com server=2001:470:20::2] 216.58.195.68 [admin@MikroTikToledo] > :put...
by nostromog
Fri Jul 20, 2018 5:25 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 29635

Re: v6.42.6 [current] Problem with ipv6

Are you sure IPv4 is available at all at that moment? Can you ping 1.1.1.1 or 8.8.8.8? For me it looks like you have ipv6 and no ipv4 right after reboot. You are right. While trying to solve the problem I moved the wrong rule and was dropping way too much ipv4 at that moment... After some more anal...
by nostromog
Wed Jul 18, 2018 10:44 pm
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 29635

Re: v6.42.6 [current] Problem with ipv6

Two problems I'm seeing with this update Are you sure it was working in previous releases? ;) Not really, new router and new tunnel. it was working for a while after I rebooted with ipv6 tunnel but now it does not work. The core problem, I think, is the internal resolver always asks for A records, ...
by nostromog
Wed Jul 18, 2018 4:10 pm
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 29635

Re: v6.42.6 [current] Problem with ipv6

Two problems I'm seeing with this update, if you have operating ipv6: [admin@MikroTik] > /ping count=1 ipv6.google.com invalid value for argument address: invalid value of mac-address, mac address required invalid value for argument ipv6-address failure: dns name exists, but no appropriate record [a...