Community discussions

MikroTik App

Search found 232 matches

by nostromog
Sun Dec 17, 2023 2:59 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 257410

Re: v7.13 [stable] is released!

I upgrading my SOHO network from 7.12 (no ax router) and my main hAP ac2 went apparently ok... until next morning when I did another /export and it entered a boot loop Apparently the "old" capsman configuration was crashing the machine soon after reboot, with a message about a critical pro...
by nostromog
Tue Oct 10, 2023 10:39 am
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 292
Views: 225639

Re: NEW FEATURE: Back to Home VPN

I tried it with a hAP AC2, upgrading from 7.11.2 and got a boot-loop. Slow: boot, crash, reboot. Fortunately I was able to downgrade (fast SSH through several boot-crash-reboot cycles) and regained control. So I will wait for a while to install 7.12
by nostromog
Tue Oct 11, 2022 2:27 pm
Forum: General
Topic: CopyFrom - can't find in docs
Replies: 1
Views: 290

Re: CopyFrom - can't find in docs

Copy-From= will copy an existing "something" (route, rule, an element of the list that you are adding to). You need to specify the number of the element you want to copy. Typically you will add in the line the changing attributes, like port=22 if the copied one had port=80 , or similar. I...
by nostromog
Fri Mar 25, 2022 9:35 am
Forum: Announcements
Topic: v7.1.4 and v7.1.5 is released!
Replies: 202
Views: 39455

Re: v7.1.4 and v7.1.5 is released!

Upgraded a hEX RB750gv3 to 7.1.5 everything seems to went fine except when I look at System->Package In check for Updates it only show ERROR: connection timed out when I look for new version. Same for long term, stable, testing and development. I can ping mikrotik.com from terminal, so internet con...
by nostromog
Tue Jun 29, 2021 6:58 pm
Forum: General
Topic: Allow IPIP from any address in network
Replies: 6
Views: 1098

Re: Allow IPIP from any address in network

I need to make an IPIP tunnel where it can receive packets from any address in a particular network, say 10.0.0.0/8. Is there a way to do this? wireguard (7 beta) does something similar to what you want provided that what you want is that the tunnel "adapts" (as in roams) to changing inpu...
by nostromog
Tue Jun 29, 2021 6:57 pm
Forum: General
Topic: Allow IPIP from any address in network
Replies: 6
Views: 1098

Re: Allow IPIP from any address in network

I need to make an IPIP tunnel where it can receive packets from any address in a particular network, say 10.0.0.0/8. Is there a way to do this? wireguard (7 beta) does something similar to what you want provided that what you want is that the tunnel "adapts" (as in roams) to changing inpu...
by nostromog
Fri May 21, 2021 2:29 pm
Forum: RouterOS beta
Topic: v7.1beta6 [development] is released!
Replies: 377
Views: 242084

Re: v7.1beta6 [development] is released!

In essence when pushing a stream of 50-80Mb/s it will stop passing TCP traffic after 20-60 minutes. What's interesting it will still allow for pinging but every existing or new TCP connection will freeze. Connections aren't dropped, they just stop carrying data. It seems like this problem is isolat...
by nostromog
Thu May 06, 2021 3:59 pm
Forum: Announcements
Topic: v6.48.2 [stable] is released!
Replies: 141
Views: 61733

Re: v6.48.2 [stable] is released!

The easiest solution is to upgrade to Linux kernel 5.6 and glibc-2.32 or higher where 32-bit apps can use 64-bit time_t just by recompiling. Additional details about full userspace support for 64-bit time_t and other ways of handling this if you are using syscalls directly are available . What's th...
by nostromog
Thu May 06, 2021 3:36 pm
Forum: Scripting
Topic: Documentation about do={<script>} in monitoring commands
Replies: 3
Views: 2029

Re: Documentation about do={<script>} in monitoring commands

/interface ethernet monitor ether1 do={ ... $name ... $status ... $"link-partner-advertising" .... } /interface monitor ether1 do={ ... $name ... $"tx-bits-per-second" ... $"rx-bits-per-second" .... } for example, $"" on link-partner-advertising because "...
by nostromog
Thu May 06, 2021 2:16 pm
Forum: Scripting
Topic: Documentation about do={<script>} in monitoring commands
Replies: 3
Views: 2029

Documentation about do={<script>} in monitoring commands

There are a number of commands, such as /interface monitor-traffic /interface <whatever-tunnel> monitor /system resource monitor ... That take a do={<script>} attribute that will get executed in every iteration of the monitoring... The things one can do inside the "do" block don't look ver...
by nostromog
Wed May 05, 2021 5:05 pm
Forum: Beginner Basics
Topic: PPTP client does not go down when idle
Replies: 5
Views: 1644

Re: PPTP client does not go down when idle

UPD. Hmm, this filter rule below should be already dropping them. correct? Is there anything else I can do (other than to persuade the hq admin to disable OSPF on the PPTP server interface)? I don't think you can do much about what the other side sends. If you know the kind of legitimate traffic yo...
by nostromog
Wed May 05, 2021 11:08 am
Forum: General
Topic: PWR-LINE PRO
Replies: 26
Views: 6006

Re: PWR-LINE PRO

Could you share with us what are the no-name version models, maybe a link where you bought them? They were Tenda PH6 https://www.tendacn.com/en/product/PH6.html (I got them via some amazon ad when I was looking for the pwr-line pro at a good price). Now, to get kind-of back on Topic, they showed a ...
by nostromog
Wed May 05, 2021 10:58 am
Forum: RouterOS beta
Topic: v7.1beta5 [development] is released!
Replies: 292
Views: 85381

Re: v7.1beta5 [development] is released!

I have a hAP ac^2 configured with a set of /queue/tree queues and I have been seeing panic reboots ever 3-6 hours of the router since I upgraded to 7.1beta5. Once I did a /queue/tree/disable [find] I have not seen any more kernel failure reboots. Waiting for next version that can do traffic shaping...
by nostromog
Mon May 03, 2021 9:44 am
Forum: General
Topic: Connection tracking problem with discovery
Replies: 4
Views: 1885

Re: Connection tracking problem with discovery

How exactly are these connections shown in connection tracking list? I use "interval=1" to watch them appear and then quit before they timeout, and execute the line again. They appear every minute or so. They used to appear because I have a droplist populated by new connection attempts, a...
by nostromog
Fri Apr 30, 2021 7:04 pm
Forum: Beginner Basics
Topic: PPTP client does not go down when idle
Replies: 5
Views: 1644

Re: PPTP client does not go down when idle

I have seen it failing due to either /ip/cloud or /interface/detect-internet being active and polling the connection.

One way to find out what is keeping the connection up ise to use
/tool/sniffer/quick interface=<myvpn>
for a while to understand what is keeping it alive.
by nostromog
Sun Apr 25, 2021 9:39 pm
Forum: General
Topic: PWR-LINE PRO
Replies: 26
Views: 6006

Re: PWR-LINE PRO

Sorry for hijacking thread, but for those who use PWR-LINE PRO - do you get additional latency? I've never used EoP devices before. I've heard stories that when using such devices you might get somewhat 30ms latency, even tho internet connectivity is rock stable. Just want to hear if it's true. I h...
by nostromog
Wed Apr 21, 2021 3:01 pm
Forum: Scripting
Topic: get interface address not working in v6.48.2
Replies: 7
Views: 1520

Re: get interface address not working in v6.48.2

In v6.48.2 scripting the below returns "no such item" :put [/ip address get value-name=address [find interface=ether1]] Was working on 6.48.1 and older. Any ideas as to what changed?? "no such item" -> /ip address print where interface=ether1 returns nothing "invalid intern...
by nostromog
Tue Apr 20, 2021 8:33 pm
Forum: RouterOS beta
Topic: v7.1beta5 [development] is released!
Replies: 292
Views: 85381

Re: v7.1beta5 [development] is released!

If, as you say, you have default route, then there is no need to add static routes to nowhere, you can use address lists /ip firewall address-list add list=unreachable address=10.0.0.0/8 add list=unreachable address=172.16.0.0/12 add list=unreachable address=192.168.0.0/16 /ip firewall filter add a...
by nostromog
Tue Apr 20, 2021 5:48 pm
Forum: RouterOS beta
Topic: v7.1beta5 [development] is released!
Replies: 292
Views: 85381

Re: v7.1beta5 [development] is released!

The problem with "unreachable" and "prohibited" routes is that the decision to send an ICMP reply gets taken on Layer 3 before reaching the firewall. Therefore, those routes are vulnerable to DDoS attacks. Moreover, with Layer 3 Hardware Offloading, we can offload blackhole rout...
by nostromog
Tue Apr 20, 2021 8:16 am
Forum: RouterOS beta
Topic: v7.1beta5 [development] is released!
Replies: 292
Views: 85381

Re: v7.1beta5 [development] is released!

Have "unreachable" routes disappeared in beta5 (or even before)? I use to set up unreachable routes like /ip route add distance=5 dst-address=10.0.0.0/8 type=unreachable add distance=5 dst-address=172.16.0.0/12 type=unreachable add distance=5 dst-address=192.168.0.0/16 type=unreachable but...
by nostromog
Mon Apr 19, 2021 12:03 am
Forum: General
Topic: Connection tracking problem with discovery
Replies: 4
Views: 1885

Re: Connection tracking problem with discovery

Maybe I was not completely clear: the 159.148.147.229:30000 belongs to mikrotik, I think it is about /interface/detect-internet , and the protocol is UDP, no three-way handshake. For some reason, the initial packet (from the router to the mikrotik server) is ignored by the connection tracking machin...
by nostromog
Sun Apr 18, 2021 6:45 pm
Forum: General
Topic: Connection tracking problem with discovery
Replies: 4
Views: 1885

Connection tracking problem with discovery

Hi, I see strange "new" connections coming from 159.148.147.229:30000 to my ip port 5678 This is probably due to discovery protocol interacting badly with connection tracking code. If I /tool/sniffer I can see request/response, but apparently, for the connection tracking machinery the requ...
by nostromog
Thu Mar 25, 2021 3:24 pm
Forum: Beginner Basics
Topic: Some issues with tethering usb and wifi with my hap ac2
Replies: 9
Views: 2045

Re: Some issues with tethering usb and wifi with my hap ac2

As for the first case, via usb, I plugged my smatphone to it and started tethering usb on my smartphone, but the LTE interface has never appear in my Mirkotik's available interface as it always happened with every other devices I used to plug before. I see that it get be recharged, but not internet...
by nostromog
Mon Feb 08, 2021 8:09 pm
Forum: General
Topic: IPv6 + DHCP-PD /56 Allocations
Replies: 4
Views: 1495

Re: IPv6 + DHCP-PD /56 Allocations

I think you should set prefix-length=64 to your pool, so that assignments are in 64 bit pieces
by nostromog
Mon Feb 08, 2021 3:17 pm
Forum: Scripting
Topic: "\$(HOSTNAME)_\$(FIRMWARE)_\$(DATE)-\$(TIME)"
Replies: 5
Views: 2085

Re: "\$(HOSTNAME)_\$(FIRMWARE)_\$(DATE)-\$(TIME)"

I would like to name automatically my export file in the following format: hEX_S-RB760iGS_6.48.1_20210206-193801 where: hEX_S-RB760iGS - Hostname _6.48.1 - Current Firmware _20210206 - Current Date YYYYMMDD -193801 - Current time HHMMSS I have tried the following, but no luck: export file="\$(...
by nostromog
Fri Jan 22, 2021 7:06 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 115
Views: 30797

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I love primarily two things of Mikrotik: One, that they support a very wide range of architectures, chipsets, devices and functions with the same OS and configuration/scripting language. Two, that they keep supporting even 10 year old products with the last version, which means that products are not...
by nostromog
Mon Jan 11, 2021 1:46 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 295
Views: 127556

Re: v6.48 [stable] is released!

I have been pulling my hair over the Pwr-line units I have recently purchased. 6.48 indeed breaks pwr-line communication completely. Installing long-term 6.46.8 solved the issue. Not for my pwrline power sources for mAP Lite. Those were fully broken for a number of releases, and 6.48 seem to have c...
by nostromog
Thu Dec 31, 2020 1:41 pm
Forum: Wireless Networking
Topic: cAP ac power consumption
Replies: 7
Views: 3251

Re: cAP ac power consumption

Cpu and ethernet ports consume more ! With very similar hardware (same SoC) except that it has 5 ethernet ports and a USB port, the hAP ac^2 is stated as "Max consumption without attachments 16W" I'd guess each gigabit ethernet port drains roughly a max of 1W, not taking into account the ...
by nostromog
Thu Dec 24, 2020 5:22 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 295
Views: 127556

Re: v6.48 [stable] is released!

What's new in 6.48 (2020-Dec-22 11:20): (...) *) interface - fixed pwr-line running state (introduced in v6.45); Difficult to know what this means, can anyone clarify? A couple of pwr-line power sources for a couple of mAP Lite routers have stopped a strange behaviour they were showing, flashing al...
by nostromog
Mon Nov 30, 2020 8:08 am
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 184
Views: 114682

Re: v6.48beta [testing] is released!

*) interface - fixed pwr-line running state (introduced in v6.45); Can you further explain? I had problems with a couple of pwr-line adapters both in recent 6 versions and 7 beta, and I wonder it this could be related. I have a support ticket open, but no contact related to it since a couple of mon...
by nostromog
Tue Oct 20, 2020 7:33 pm
Forum: Beginner Basics
Topic: Does "Detect Internet" actually do anything?
Replies: 5
Views: 7408

Re: Does "Detect Internet" actually do anything?

You can control what it does with the lists: > /interface detect-internet print detect-interface-list: WAN lan-interface-list: none wan-interface-list: none internet-interface-list: none The manual explains how the states change. Now, it will run the detection on interfaces that are in the "det...
by nostromog
Thu Oct 08, 2020 4:37 pm
Forum: RouterOS beta
Topic: v7.1beta2 [development] is released!
Replies: 385
Views: 153555

Re: v7.1beta2 [development] is released!

(...) nostromog (...) please write to support@mikrotik.com or contact us via our support portal https://help.mikrotik.com/servicedesk In support ticket, please describe issue in detail, your network setup and create supout.rif file once issue is present and share it with us. Thank you for reporting...
by nostromog
Mon Sep 28, 2020 1:17 pm
Forum: Beginner Basics
Topic: router not starting
Replies: 10
Views: 2964

Re: router not starting

select net boot and set ip to 192.168.88.3
Don't follow the manual on this, it is completely wrong

Set ip to 192.168.88.1 instead and netinstall will work
by nostromog
Sun Sep 20, 2020 1:09 pm
Forum: RouterOS beta
Topic: v7.1beta2 [development] is released!
Replies: 385
Views: 153555

Re: v7.1beta2 [development] is released!

I just setup Wireguard on my hAP AC² (...) I can also confirm that 2,4 GHZ Wifi is broken and client's don't get dhcp on that one, 5 GHZ seems to work fine. For me it works... until it stops working. Then I do /interface/wireless { disable wlan1; enable wlan1} ant it works again... until it stops w...
by nostromog
Thu Sep 17, 2020 3:40 pm
Forum: Beginner Basics
Topic: Can I use single word to resolve to IP address with Static DNS?
Replies: 5
Views: 1286

Re: Can I use single word to resolve to IP address with Static DNS?

DNS specifies that a "full" name ends up in the top domain, which is "." (yes, a dot). If you ask for a domain that does not end in a dot the typical resolver will search for it with some kind of "default" domain appended. This default domain can come from several place...
by nostromog
Wed Sep 16, 2020 8:25 pm
Forum: General
Topic: Bring Tapatalk back
Replies: 32
Views: 7441

Re: Bring Tapatalk back

When did it stop working?
After Friday's forum maintenance
you need to reset your password, someone posted about it. It took me some time to figure out that was the cause
by nostromog
Mon Sep 14, 2020 7:58 pm
Forum: Announcements
Topic: v6.46.7 [long-term] is released!
Replies: 45
Views: 26383

Re: v6.46.7 [long-term] is released!

By the way what does this one mean. *) interface - added new builtin "static" interface list; This is a very interesting changelog item, one that has never been in a stable (or development) release. I find confusing that this comes to the long term release with barely no testing, has been...
by nostromog
Sat Sep 12, 2020 3:20 pm
Forum: RouterOS beta
Topic: v7.1beta2 [development] is released!
Replies: 385
Views: 153555

Re: v7.1beta2 [development] is released!

Ive asked in the forums before updating to V7. One of the supports said it wont harm your device. I did it and it bricked my device. Thanks and sadly i will need to buy another retarded mikrotik device because its my only option. Plus LDF-5 doesnt work in net install mode my computer doesnt recogni...
by nostromog
Tue Sep 08, 2020 11:39 pm
Forum: RouterOS beta
Topic: [SOLVED] cannot succeed to update hap mini to 7.1b2
Replies: 5
Views: 2569

Re: cannot succeed to update hap mini to 7.1b2

hi i tried all the options to upgrade a brand new, still not used (and factory reset) HAP MINI to latest 7.1beta2... direct upload of npk file, not enough internal storage... so tried netinstall, set up pc with 192.168.88.2 and netinstall net boot to 192.168.88.3, turned off firewall and antivirus ...
by nostromog
Tue Sep 08, 2020 6:36 pm
Forum: RouterOS beta
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 57
Views: 18618

Re: Wireguard not working when behind internet facing router with DSTNAT

I used to have a setup where port 51820 was mapped from a Mikrotik router to my old laptop, and I connected to it from my current laptop (both linux) using wireguard. When I upgraded my travel router to 7.1beta2 I cloned into it my current laptop configuratiion and it works like a charm. Of course h...
by nostromog
Tue Sep 08, 2020 1:22 pm
Forum: RouterOS beta
Topic: v7.1beta2 [development] is released!
Replies: 385
Views: 153555

Re: v7.1beta2 [development] is released!

. Failing devices are mostly android, but also a windows and a linux laptop occasionally. I have set wireless debug in one of the phones and saw a message like NETWORK_UNAVAILABLE DHCP NOT RESPONDING=1 (I'm inventing the message but it was the idea). I saw it again. The message was "NETWORK_SE...
by nostromog
Sun Sep 06, 2020 1:22 pm
Forum: RouterOS beta
Topic: v7.1beta2 [development] is released!
Replies: 385
Views: 153555

Re: v7.1beta2 [development] is released!

I have an issue here with the 7.1 beta 2 on 3 hAp ac^2 devices. Had te return to the stable branch for wireless to become stable again. On all devices i had serious stability issues. He told that the same I am seeing: devices get stuck but otherwise connected on both interfaces. Some time after las...
by nostromog
Sun Sep 06, 2020 11:17 am
Forum: Announcements
Topic: v6.47.3 [stable] is released!
Replies: 50
Views: 28351

Re: v6.47.3 [stable] is released!

> wireless - fixed potential wireless driver issue related to CVE-2020-3702 Interesting, my years stable hap ac 5g needed a power cycle twice (reboots wouldn't correct it) after 6.47.2 upgrade, now I've upgraded to .3, 2 android devices wont even connect any more. I'm seeing wireless problems with ...
by nostromog
Sat Sep 05, 2020 9:17 pm
Forum: RouterOS beta
Topic: v7.1beta2 [development] is released!
Replies: 385
Views: 153555

Re: v7.1beta2 [development] is released!

lte1 receives DNS via DHCP (from the modem) with the checkbox off in LTE APN - Use Peer DNS. I can't turn off the use of DNS from the router side. Mikr_DNS.png In my case, even with user-peer-dns off both in lte1 and the dynamic dhcp-client, ip dns is showing it in the "dynamic-servers" a...
by nostromog
Mon Aug 31, 2020 8:44 pm
Forum: RouterOS beta
Topic: Feature Request - Wireguard Protocol
Replies: 167
Views: 84200

Re: Feature Request - Wireguard Protocol

Has anyone been able to set mikrotik as a peer to another existing wireguard server? Yes. I had an old experimental setup: in a computer at home one peer, a port directed in the router, and I used to test from my laptop. Now I transfered my laptop configuration to my mikrotik travel router and it s...
by nostromog
Sat Aug 29, 2020 5:01 pm
Forum: General
Topic: Using netinstall from linux [SOLVED]
Replies: 3
Views: 10468

Re: Using netinstall from linux [SOLVED]

For reference, netinstall is usable from linux. The problem is in the manual . Follow it until where it says: Configure Net booting settings . Then, instead of setting 192.168.88.3 as the image shows, just set 192.168.88.1 instead and the router will appear, boot and flash... I did uncountable attem...
by nostromog
Fri Aug 28, 2020 10:38 pm
Forum: RouterOS beta
Topic: DHCPv6 Server
Replies: 29
Views: 5590

Re: DHCPv6 Server

never seen anyone using ipv6 It might be that you have not looked closely. I surprised my boss and some other people from my company, who travels a lot, when I show them that they had unknowingly logged in in our Google domains using IPv6. Typically from mobile connections or wifi in places such as...
by nostromog
Sat Aug 22, 2020 9:38 pm
Forum: General
Topic: Using netinstall from linux [SOLVED]
Replies: 3
Views: 10468

Using netinstall from linux [SOLVED]

Hi, one of my routers stopped beting accessible and refuses to get the default configuration. It boots, gets ip from ether1 and calls cloud, but it does not offer dhcp and cannot be accessed on the wireless or the remaining ether ports. It is a hAP ac^2. I'm a linux user, and when I tried to run net...
by nostromog
Mon Aug 03, 2020 10:53 am
Forum: RouterOS beta
Topic: /ip/route/check command disappeared?
Replies: 19
Views: 13925

Re: /ip/route/check command disappeared?

You can get route that resolves specified destination: /ip route print detail where x.x.x.x in dst-address and active DAd dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=10.155.101.1 immediate-gw=10.155.101.1%bridge type=unicast distance=1 scope=30 target-scope=10 From there ...
by nostromog
Tue Jul 28, 2020 7:02 am
Forum: Beginner Basics
Topic: ,ovpn config to mikrotik vpn client
Replies: 2
Views: 5709

Re: ,ovpn config to mikrotik vpn client

I see you are trying to accomplish a UDP configuration. OpenVPN has been traditionally supported only for TCP in Mikrotik, but now the (beta) version 7 offers UDP connections. The very first thing you would have to do is to upgrade your router to 7.1beta, and then add a ovpn-client connection: /inte...
by nostromog
Mon Jul 27, 2020 2:39 pm
Forum: RouterOS beta
Topic: /ip/route/check command disappeared?
Replies: 19
Views: 13925

Re: /ip/route/check command disappeared?

You can get route that resolves specified destination: /ip route print detail where x.x.x.x in dst-address and active DAd dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=10.155.101.1 immediate-gw=10.155.101.1%bridge type=unicast distance=1 scope=30 target-scope=10 From there ...
by nostromog
Mon Jul 27, 2020 1:44 pm
Forum: RouterOS beta
Topic: /ip/route/check command disappeared?
Replies: 19
Views: 13925

Re: /ip/route/check command disappeared?

Check is not implemented in ROS v7. What does check give you that "/routing route print" does not? Well, I use it in scripts to get the nexthop of the route to a given address or, using something global like 1.1.1.1, of "the internet". Something like: :local gateway ([/ip route ...
by nostromog
Sat Jul 25, 2020 2:49 pm
Forum: RouterOS beta
Topic: v7.1beta1 [development] is released!
Replies: 103
Views: 57478

Re: v7.1beta1 [development] is released!

Is the problem about ignoring MTU settings still happening in 7.1beta? ( https://forum.mikrotik.com/viewtopic.php?t=158457 ) no, jumbo frame is working fine at least on mellanox board. refards ros Confirmed, I tried and it worked. In 7.0beta5 the VLAN setup was only working with ICMP and UDP, but T...
by nostromog
Sat Jul 25, 2020 2:26 pm
Forum: RouterOS beta
Topic: /ip/route/check command disappeared?
Replies: 19
Views: 13925

/ip/route/check command disappeared?

Sorry if it has been answered, I couldn't find it in a google query...

What happened with the
/ip route check <address>
command?

I was using it in a few scripts and they are broken on upgrade to 7.1beta1...
by nostromog
Thu Jul 23, 2020 9:50 am
Forum: RouterOS beta
Topic: v7.1beta1 [development] is released!
Replies: 103
Views: 57478

Re: v7.1beta1 [development] is released!

Is the problem about ignoring MTU settings still happening in 7.1beta? ( viewtopic.php?t=158457 )
by nostromog
Mon Jul 20, 2020 11:13 pm
Forum: General
Topic: PMTU blues: The trap of Movistar's PPPOE endpoint of 192.168.144.1 + RouterOS default max-mtu and max-mru of 1480...
Replies: 1
Views: 1086

PMTU blues: The trap of Movistar's PPPOE endpoint of 192.168.144.1 + RouterOS default max-mtu and max-mru of 1480...

TLDR;; The blues of a tricky Movistar setup + a tricky default setting in Mikrotik, and how I have spent a couple of years with a broken internet connection due to it My internet provider (Movistar, the "new" branding of the old monopoly Telefonica de España) has PMTU discovery broken. Thi...
by nostromog
Tue May 26, 2020 8:12 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 8589

Re: Mikrotik + Movistar Fusión Empresas

Here is the config file. This is the configuration of the Mikrotik when we have connection with the old ONT. No changes made. This configuration contains the fragment I told you to connect to vlan6: /interface vlan add interface=ether1-gateway name=vlan3 vlan-id=3 add interface=ether1-gateway name=...
by nostromog
Tue May 26, 2020 6:52 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 8589

Re: Mikrotik + Movistar Fusión Empresas

I did what you said: I connected the Mikrotik directly to the new ONT, but nothing changed. Probably the Teldat has some new configuration and Movistar disabled the ONT so I'm forced to use the Teldat. I doubt that you are forced to use the Movistar router, their fiber is quite standard through Spa...
by nostromog
Mon May 25, 2020 7:53 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 8589

Re: Mikrotik + Movistar Fusión Empresas

First of all, thank you all for your help. Sadly I can't try your solutions untill tomorrow (I have my own work as electrician and the company doesn't stop until 22:00). The only moment I can touch the network without being yelled is at lunch break. Tomorrow I'll tell you, every idea is welcomed. M...
by nostromog
Mon May 25, 2020 5:27 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 8589

Re: Mikrotik + Movistar Fusión Empresas

Hello everyone. First of all, I'm a noob at networking. I'm an electrician and I've been forced to take care of the company network because our technician recenly got corona, so I'm sorry if I can't understand you perfectly or I make a mistake trying to explain my case. Recently in my workplace we ...
by nostromog
Sun May 24, 2020 11:51 am
Forum: General
Topic: Documentation errors
Replies: 6
Views: 1909

Re: Documentation errors

The following page https://help.mikrotik.com/docs/pages/viewpage.action?pageId=3211299 under "Source NAT" says Let`s assume you want to hide both office computer and server behind the public IP 172.16.16.1 But that address (172.16.x.x - 172.31.x.x) is a private address, much like 192.168....
by nostromog
Fri May 22, 2020 7:10 pm
Forum: RouterOS beta
Topic: mangle and routing-mark can not work for RouterOS v7
Replies: 9
Views: 7765

Re: mangle and routing-mark can not work for RouterOS v7

As it is in beta use it only in test environments so you can wait as long as it takes to be released. Don't use it in production environment.
Tell that to mikrotik, Chateau LTE12 is being released with 7.0beta6, not yet available for the rest of us :)
by nostromog
Mon May 18, 2020 2:17 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 179718

Re: v6.47beta [testing] is released!

I'm also using hAP AC2 with beta60 and works fine for me, simple home network setup, QoS and DoH. We are also using beta60 with no problems in a hAP AC2, but we upgraded a hEX S (RB760iGS) doing some l2tp/ipsec tunnel (as l2tp-client) and the tunnel stopped working until we removed the use-ipsec=&q...
by nostromog
Sat Apr 11, 2020 4:10 pm
Forum: General
Topic: Consolidate 1000 address list entries into CIDRs?
Replies: 1
Views: 1909

Re: Consolidate 1000 address list entries into CIDRs?

This particular subnet is 216.218.206.64/26 and belongs (according to whois) to The Shadowserver Foundation, which It's a volunteer run organisation designed to track malware, botnet activity and electronic fraud. Richard Perlotto runs the technology and operational side of the organisation, but his...
by nostromog
Fri Apr 03, 2020 10:34 pm
Forum: Wireless Networking
Topic: mikroTik hAP ac² , 5Ghz Lag Spikes
Replies: 18
Views: 6859

Re: mikroTik hAP ac² , 5Ghz Lag Spikes

But I also discovered that there might be a problem in the "Learn" parameter (/interface bridge port set learn=). If set to "yes" or "auto", then a problem with "lag" appears. If set to "no" then the problem disappears. The parameter "Ageing Ti...
by nostromog
Tue Mar 31, 2020 3:01 pm
Forum: RouterOS beta
Topic: Interface MTU has no effect
Replies: 1
Views: 4254

Re: Interface MTU has no effect

bump! I'm seeing the same behaviour. I got a failure in a ISP router and had to replace it with an idle hAP ac^2 that was running 7.0beta 5. The configuration is basically (I left the firewall/nat/dhcp-server... outside): /interface vlan add interface=ether1 mtu=1492 name=orange vlan-id=20 /ip dhcp-...
by nostromog
Tue Dec 10, 2019 12:20 pm
Forum: Beginner Basics
Topic: L2TP Server doesn't give a default gateway to the client - why?
Replies: 29
Views: 26468

Re: L2TP Server doesn't give a default gateway to the client - why?

The router is not involved in this process, it must be a client-side issue. How does the client know the default gateway for the network if the router does not tell it? Having the same issue here, the checnbox to use the default gateway on remote network is enabled for the VPN L2TP Server connectio...
by nostromog
Sat Dec 07, 2019 7:19 pm
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 68929

Re: v6.46 [stable] is released!

(...) So you can not use mathematical expression to compare them. Just replace " < " with " != ": if ([/system routerboard get current-firmware] != [/system routerboard get upgrade-firmware]) do={ ... Further, you can get quite strange results in the test. For example, with devel...
by nostromog
Fri Nov 29, 2019 10:59 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 69883

Re: v6.45.7 [stable] is released!

Is there any known reason why (what looks like) all NAT stops working in 6.45.7 after a few hours? Where do I even start yo debug this? I think it could be due to change in the external IP, or even release of the current one due to problems in the DHCP renegotiation, you could look for dhcp message...
by nostromog
Thu Nov 28, 2019 2:50 pm
Forum: General
Topic: PPP secrets last logged out time in terminal
Replies: 3
Views: 2396

Re: PPP secrets last logged out time in terminal

I find this code clearer:
:put [/ppp secret get [find where name=xyz] last-logged-out ]
get/find is usually simpler to program than using print as-value. It works for retrieving entities, for results such as monitor you still need as-value...
by nostromog
Tue Nov 05, 2019 12:18 am
Forum: General
Topic: PPPoE client default MTU
Replies: 25
Views: 29376

Re: PPPoE client default MTU

I understand, my ISP supports a MTU of 1492 by PPPoE if I connect my PC directly to the modem without the router my MTU is 1492 by PPPoE but when I activate the bridge mode and connect the Mikrotik my MTU changes to 1480, with neither previous router my MTU was 1492, in my case I get better results...
by nostromog
Mon Nov 04, 2019 12:29 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 106152

Re: v6.46beta [testing] is released!

Hi, I saw a strange error in a hAP ac^2 with beta59: [admin@Mikrotik] > /system routerboard print routerboard: yes board-name: hAP ac^2 model: RBD52G-5HacD2HnD serial-number: B4A00A072300 firmware-type: ipq4000L factory-firmware: 6.42.3 current-firmware: 6.46beta59 upgrade-firmware: 6.46beta59 [admi...
by nostromog
Thu Oct 03, 2019 7:33 pm
Forum: RouterBOARD hardware
Topic: LtAP Mini LTE Kit is awful when network signal is unstable
Replies: 6
Views: 3885

Re: LtAP Mini LTE Kit is awful when network signal is unstable

When I'm in city with strong 3/4G coverage, everything works as it supposed to. But when I leave big city Internet connection becames awful and nearly unusable (though usual phone with same ISP shows 3-4 sticks of 3G/H+ and above-mentioned Huawei 4G router also changes bands and base stations seaml...
by nostromog
Mon Sep 30, 2019 9:00 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 106152

Re: v6.46beta [testing] is released!

To be precise, what I observe is a never ending sequence of 19:15:39 ipsec,info initiate new phase 1 (Identity Protection): 2001:470:NNNN:NNNN::1[500]<=>2001:470:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN[500] 19:16:39 ipsec,error phase1 negotiation failed due to time up 2001:470:NNNN:NNNN::1[500]<=>2001:470:NNN...
by nostromog
Mon Sep 30, 2019 12:59 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 106152

Re: v6.46beta [testing] is released!

Well, then fix the IPv6 address. It will not try a different address until the previous one times out (after DNS TTL). It has always been like this, however we have fixed IPv6 address resolving in the beta. I wonder what do you call "times out (after DNS TTL)". Do you mean the use of DNS ...
by nostromog
Fri Sep 27, 2019 10:18 pm
Forum: General
Topic: CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid
Replies: 3
Views: 1963

Re: CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid

I experienced the same bug, reset configuration and re importing it was the only solution to fix it.

Sent from my Redmi Note 5 using Tapatalk

by nostromog
Fri Sep 27, 2019 10:17 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 106152

Re: v6.46beta [testing] is released!

I'm seeing a problem with DNS resolution of ipsec peer in this beta: I have an ipsec peer that happens to have a correct ipv4 address, but an ipv6 address that does not work. On boot, the ipv6 address is picked up, but the ipsec remains in message-1-sent state forever. I need to do /ip ipsec peer di...
by nostromog
Tue Sep 24, 2019 11:04 am
Forum: RouterBOARD hardware
Topic: Recover from "No Default Configuration" System Reset
Replies: 17
Views: 11043

Re: Recover from "No Default Configuration" System Reset

One technique I have used, as a linux user, to check if the router is alive when I lost configuration and the machines have ipv6 package active, is to plug an ethernet cable from my laptop to the router, ensure that the link is up on the linux side and # use your eth interface name instead of eth1 $...
by nostromog
Mon Sep 23, 2019 11:13 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 2951

Re: "pure" ipsec, how to deal with MTU?

Can't it be your srcnat rules touching something they should not? Because unless I'm lost in what's connected where, if the icmp response should go to 192.168.21.251, then 192.168.90.253 as source doesn't look right. Well, I don't choose the source of an ICMP error packet generated by the kernel/ne...
by nostromog
Mon Sep 23, 2019 9:59 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 2951

Re: "pure" ipsec, how to deal with MTU?

Check what the router really sends or not directly on router, add logging rule in output for icmp and destination address of client, and you'll see. This is what I did, using /tool sniffer and some logging, and I have seen. I'd expect the opposite for split-include configs, i.e. that 0.0.0.0/0 woul...
by nostromog
Mon Sep 23, 2019 8:21 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 2951

Re: "pure" ipsec, how to deal with MTU?

You don't need to do anything about it. Just make sure you do not blindly block the ICMP traffic so PMTUD over your tunnels works. It is not working. It is working locally, i.e. the router at the "client" side of the ipsec tunnel will give the error I posted, but it is not working for cli...
by nostromog
Sat Sep 21, 2019 10:35 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 2951

"pure" ipsec, how to deal with MTU?

Hi, I set up in my home router a "pure" ipsec VPN, experimentally before I set it up in my company. It is currently ikev1 with xauth, something like /ip address add address=192.168.90.1/24 interface=bridge network=192.168.90.0 /ip ipsec mode-config add address-pool=vpn2 name=RW-cfg split-i...
by nostromog
Sat Sep 14, 2019 5:18 pm
Forum: General
Topic: Access to MikroTik LtAP console via LTE
Replies: 3
Views: 2082

Re: Access to MikroTik LtAP console via LTE

The typical solution to this problem is that you have a VPN server and each router connects to it automatically once it gets signal. So from the server you can reach any of the devices. It will cause idle traffic, though, as keeping alive the connection is the only way to have it available when it i...
by nostromog
Fri Sep 13, 2019 10:11 pm
Forum: General
Topic: L2TP/IPSec VLAN no HTTP (port 80) [SOLVED]
Replies: 2
Views: 1593

Re: L2TP/IPSec VLAN no HTTP (port 80) [SOLVED]

Looks like a MTU issue. You can measure the mtu using ping ... size=<n> do-not-fragment , changing n until you doing the maximum that answers, and adjust the MTU of the interface, etc


Sent from my Redmi Note 5 using Tapatalk

by nostromog
Wed Sep 11, 2019 9:13 am
Forum: Wireless Networking
Topic: Bit confused by the existence of the hAP AC Lite?
Replies: 15
Views: 6272

Re: Bit confused by the existence of the hAP AC Lite?

The maximum one tends to get with Wi-Fi 4 (802.11n) with two chains (e..g many laptops) is ~70Mbps so it's a reasonable match for VDSL2 here in the UK where the internet link isn't much higher than that is many cases, often less. So having 100Mbps port for the internet connection is fine. One tends...
by nostromog
Tue Sep 10, 2019 10:09 pm
Forum: General
Topic: Feature Request: Add LTE to WAN Interface List by default
Replies: 4
Views: 1714

Re: Feature Request: Add LTE to WAN Interface List by default

In IPsec a add-to-list option is hurting added, this would be similar, I guess

Sent from my Redmi Note 5 using Tapatalk

by nostromog
Tue Aug 27, 2019 3:15 pm
Forum: Beginner Basics
Topic: Unable to return to default configuration
Replies: 1
Views: 1738

Re: Unable to return to default configuration

It might be that the script that restores the configuration has a bug, or the firmware it not initializing properly. For instance, the script posted below tries 40 times to find the wireless interfaces, and they might take more time to initialize than this... You can try to understand what is going ...
by nostromog
Sat Aug 24, 2019 7:49 pm
Forum: Beginner Basics
Topic: How to dumb bridge (?) using hAP ac lite
Replies: 11
Views: 3826

Re: How to dumb bridge (?) using hAP ac lite

... create a bridge add all ether interfaces to that bridge As soon as I change the interface I'm using (eth2 in this case) from the old bridge to the new one, I lose contact with the router, and can't get there from here. I am running winbox on wine on debian. When I have been cut access from the ...
by nostromog
Tue Aug 20, 2019 8:18 pm
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 4757

Re: MAP2n as Travel Router Configuration Assistance

So played w/ this some and realized w/ the Lost_Duckling mode making it a AP instead of a bridge I can then connect to my normal wlan and get into the web-config. I should then be able to setup the hotel wireless as a new profile and change wlan1 back to a station save and try to connect correct? M...
by nostromog
Thu Aug 15, 2019 10:12 pm
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 4757

Re: MAP2n as Travel Router Configuration Assistance

So I added the following code: /interface wireless security-profiles add authentication-types=wpa2-psk management-protection=allowed mode=\ dynamic-keys name=lost_duckling supplicant-identity=MikroTik \ wpa2-pre-shared-key=MyTempPSK :log info "script: Going into Lost Duckling mode" /inter...
by nostromog
Wed Aug 14, 2019 7:11 pm
Forum: General
Topic: How to remove wrong dynamic-servers from /ip dns?
Replies: 4
Views: 3871

Re: How to remove wrong dynamic-servers from /ip dns?

Dynamic DNS servers are added by DHCP/PPPoE/... and they don't stick. Stop the client or uncheck the option to add them, and they go away. If not, it would be bug. It is a bug, then, as they have been around for months, after reboots and whatnot. My guess is that if one disables the dhcp-client / p...
by nostromog
Wed Aug 14, 2019 5:20 pm
Forum: General
Topic: How to remove wrong dynamic-servers from /ip dns?
Replies: 4
Views: 3871

How to remove wrong dynamic-servers from /ip dns?

Hi, I have the same problem in several routers: I have a router in London where I used for a short time my cellular phone via USB cable, and via dhcp-client the DNS addresses of my provider went into /ip dns dynamic-servers... Several months and reboots from then they are still there, in spite of th...
by nostromog
Wed Aug 14, 2019 5:12 pm
Forum: Scripting
Topic: mAP lite as travel router [SOLVED]
Replies: 5
Views: 7605

Re: mAP lite as travel router [SOLVED]

(...) To run AP & Client simultaneously, you can run AP as master and station as virtual interface (use wlan2 in connect-list entries). /interface wireless set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=AP1 add default-authentication=no disabled=no master-interface=wlan1 mode=s...
by nostromog
Tue Aug 13, 2019 2:06 pm
Forum: RouterBOARD hardware
Topic: New Router
Replies: 2
Views: 2127

Re: New Router

My old router died thue to a heat stroke so I need to buy a new router. I had a RB750G and my network Connection is 500/500 but I'm going to upgrade to 1000/1000. I have 3x high speeds computers thats need a switch chip or fast cpu to bridge the traffic. 1x ip-telephone 1x laptop (some times on Cab...
by nostromog
Sun Aug 11, 2019 3:35 pm
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 6451

Re: WOL not working after upgrade

Interface is Bridge1 for all innside mac on hEX
/ip arp print
 0 DC 10.10.10.41     00:1A:EC:0C:1C:83 Bridge1
 1 DC 10.10.10.32     90:BA:1A:68:DA:D1 Bridge1
...
...
this means that bridge1 is the broadcast domain where the wake tool should be fired.

Sent from my Redmi Note 5 using Tapatalk

by nostromog
Sun Aug 11, 2019 11:07 am
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 4757

Re: MAP2n as Travel Router Configuration Assistance

Can you have multiple profiles to connect to on wlan1? If so your first idea works for me. The 2nd is great too when I travel for work, but don't always have a laptop otherwise. yes, you write different security profiles and connect list entries. See the manual. I have set up one per wifi, in order...
by nostromog
Sun Aug 11, 2019 7:02 am
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 6451

Re: WOL not working after upgrade

:put [/ip arp get [f where mac-address=A0:48:1E:B8:8D:58] interface] This may not work. On hEX routers, it will just show name of the bridge where the interface is connected, not the physical interface. The interface where it appears in arp table is the one that wake command needs Sent from my Redm...
by nostromog
Fri Aug 09, 2019 10:37 am
Forum: Wireless Networking
Topic: MAP2n as Travel Router Configuration Assistance
Replies: 18
Views: 4757

Re: MAP2n as Travel Router Configuration Assistance

Only issue I foresee now is wlan2 not being available unless the Map connects to wlan1 first. Not a problem if I know the SSID ahead of time but won't always be the case. More than likely will disable wlan2 and Daisy chain a Maplite off of it so I can connect to the management interface of the 2n a...
by nostromog
Tue Aug 06, 2019 1:49 pm
Forum: Scripting
Topic: WOL not working after upgrade
Replies: 9
Views: 6451

Re: WOL not working after upgrade

I hate upgrades, as always something goes wrong (ofcourse other things might have been wrong previously, hence the need for upgrade) This time WOL stopped working in both 6.44.3 & current 6.45.3 It used to work perfectly fine in my old 6.34.x version I can use Depicus WOL GUI tool (and with set...
by nostromog
Sat Aug 03, 2019 2:09 pm
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 2573

Re: NAT-T flag missing in 6.45.3

I'm not using NAT Traversal. Active-peers doesn't exist the same way in 6.44 due to all the changes between 6.44 and 6.45. NAT-Traversal is not something you "use". NAT Traversal is a technique used when the ipsec-esp protocol cannot establish a connection between two peers; it then encap...
by nostromog
Sat Aug 03, 2019 1:26 pm
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 2573

Re: NAT-T flag missing in 6.45.3

I was just confirming that I don't get the black hole in either direction with 6.44.5 1423 does generate "packet too large". Are you seeing the "N" (NAT Traversal) flag in both sides when you ask for the active peers? I see it only in the responder and it should be in both sides.
by nostromog
Sat Aug 03, 2019 12:38 pm
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 2573

Re: NAT-T flag missing in 6.45.3

The blackhole is making TCP connections impossible unless I trim the MTU in the initiator side. I'd say that this was not happening pre-6.45, but it is hard to remember if I tried to do tcp connections using IPsec this way while running previous releases. I have an IPSec link between two devices on...
by nostromog
Sat Aug 03, 2019 11:56 am
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 2573

NAT-T flag missing in 6.45.3

I found a strange problem with the last releases. The initiator side of an IPsec association is not showing NAT-T flag, while the responder does. Also there is a blackhole between 1406-1422 bytes size in the intiator side. This is happening at least in 6.45.1-3, currently both sides run 6.45.3. How ...
by nostromog
Fri Aug 02, 2019 11:34 am
Forum: General
Topic: Block Ping request
Replies: 44
Views: 33260

Re: Block Ping request

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
Of course,
disabled=yes
is a very effective way to make non-working firewall rules :)
by nostromog
Thu Aug 01, 2019 7:30 pm
Forum: RouterBOARD hardware
Topic: RouterBOARD naming
Replies: 61
Views: 125685

Re: RouterBOARD naming

There will be a non-TC (classic MikroTik style) version of hap ac2? Are you aware that the ac^2 can be installed "flat"? i.e. the base has two configurations, the tower one and a desktop one. By the way, I agree that the leds are too difficult to read, in any condition of light. I can bar...
by nostromog
Wed Jul 31, 2019 4:17 am
Forum: Wireless Networking
Topic: How to get signal-strength from wireless card
Replies: 3
Views: 2925

Re: How to get signal-strength from wireless card

On the other hand the Keyword "as-value" seems not to be working on mode "ap_bridge" Routeros will not print any returned value unless you ":put" it: # Here "wlan1" is in station mode and "wlan2" in ap-bridge mode /interface wireless {:put ([monitor...
by nostromog
Wed Jul 24, 2019 3:59 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 35
Views: 6764

Re: help to set ipv6 / 48

ok to recap: in ipv6 address I entered: 2a02: 2f0f: 1c2 :: 1/48 interface bridgeLAN in the routes: ok to recap: in ipv6 address I entered: 2a02: 2f0f: 1c2 :: 1/48 interface bridgeLAN in the routes: # DST-ADDRESS GATEWAY DISTANCE 0 A S ::/0 fe80::1%eth6_WAN 1 1 ADC 2a02:2f0f:1c2::/48 bridge_LAN 0 bu...
by nostromog
Thu Jul 18, 2019 9:57 pm
Forum: General
Topic: rx,tx byte rate in interface menu
Replies: 7
Views: 3191

Re: rx,tx byte rate in interface menu

/interface monitor-traffic LAN once do={:put $"rx-bits-per-second" } How to record this value to the log and let it display like 14.5Mbps, retaining a decimal point. Trying to find the entire forum, many will not work. The syntax of Routeros scripting is designed for easy parsing rather t...
by nostromog
Wed Jul 17, 2019 10:26 am
Forum: General
Topic: IPsec doesn't work after upgrade from 6.43.16 to 6.44 and high
Replies: 4
Views: 1529

Re: IPsec doesn't work after upgrade from 6.43.16 to 6.44 and high

I've seen here on the forum a case like this, the solution was to export the ipsec configuration into an external text file, remove it on the machine, upgrade the machine and create the ipsec configuration manually again. There was a significant change in the IPsec configuration structure either be...
by nostromog
Fri Jul 05, 2019 8:25 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 196416

Re: v6.45.1 [stable] is released!

In order to upgrade ROS, your hAP lite needs at least some 14MB RAM free (possibly even more) and around 1MB hdd free. Both are displayed using command /system resource print (fields free-memory and free-hdd-space respectively). If your RAM is low, try to reboot device (in case there are some proce...
by nostromog
Fri Jul 05, 2019 9:31 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 196416

Re: v6.45.1 [stable] is released!

It hangs in some initial script that tries to modify ipsec policies depending on dynamic local ip, it hangs on "/ export" or "/ip ipsec <whatever>". I can't generate a supout because it hangs :( Have you tried to reset the machine to defaults before or better after upgrade to 6....
by nostromog
Wed Jul 03, 2019 7:43 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 196416

Re: v6.45.1 [stable] is released!

I upgraded 2 mAP Lite without a single issue, and another old 750GL. Same On the other side, the hAP ac that could not be upgraded/downgraded to 6.44.* or 6.45beta* because it had the 100% looping CPU on ipsec is stil behaving the same. It hangs in some initial script that tries to modify ipsec poli...
by nostromog
Mon Jul 01, 2019 9:07 am
Forum: Wireless Networking
Topic: Number of Wi-Fi connections on hAP mini
Replies: 8
Views: 3932

Re: Number of Wi-Fi connections on hAP mini

So hence the reason I was interested in the hAP range. MikroTik are not that well known in the UK but I was interested when I saw them on Broadbandbuyer. It sounds like the mini is a little under powered but I punted out the £20 and bought one anyway. I've on good terms with the cafe I was talking ...
by nostromog
Wed Jun 26, 2019 10:00 pm
Forum: Wireless Networking
Topic: Number of Wi-Fi connections on hAP mini
Replies: 8
Views: 3932

Re: Number of Wi-Fi connections on hAP mini

Nostomog, could you tell us why "MIPS" is not good to handle encrypted traffic? It is not a problem of handling encrypted traffic, but of doing encryption. the MIPS CPU has only one core, and does not have hardware support for AES encryption. So, if you are terminating encrypted VPNs in y...
by nostromog
Sat Jun 22, 2019 2:03 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157224

Re: v6.45beta [testing] is released!

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwa...
by nostromog
Fri Jun 21, 2019 5:08 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157224

Re: v6.45beta [testing] is released!

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?
by nostromog
Fri Jun 21, 2019 4:29 pm
Forum: Wireless Networking
Topic: Number of Wi-Fi connections on hAP mini
Replies: 8
Views: 3932

Re: Number of Wi-Fi connections on hAP mini

The main limitation of the hAP mini is its RAM, a bit in the small side with only 32M RAM, which brings one problem that you can search for in the forum: often it is difficult to upgrade, as the upgrade firmware is downloaded in RAM, and depending on your configuration it can get tricky. I have good...
by nostromog
Thu Jun 06, 2019 7:22 pm
Forum: General
Topic: hAP ac² as switch + ap
Replies: 9
Views: 4589

Re: hAP ac² as switch + ap

[*] select static ip address or dynamic, as desired It seems like what I want, I'm just not sure if the address you mention here is just to access hAPs configuration or will all wifi clients use this IP to talk with the rest of the network? I want my server to assign each ip. Mikrotik routers are q...
by nostromog
Thu Jun 06, 2019 6:45 pm
Forum: General
Topic: hAP ac² as switch + ap
Replies: 9
Views: 4589

Re: hAP ac² as switch + ap

EDIT: I think I was wrong, WISP AP is for a station connection on 5GHz band, use instead Home AP Dual. So there is no hidden NAT on the wlan where in the end every device is presented under the same ip to my server like I've read is the problem with some routers? I think that if you upgrade it, sel...
by nostromog
Tue Jun 04, 2019 1:40 pm
Forum: RouterBOARD hardware
Topic: Cheapest router for home use with 1Gb
Replies: 7
Views: 5361

Re: Cheapest router for home use with 1Gb

https://mikrotik.com/products/compare/RBD52G-5HacD2HnD-TCr2+RB4011iGSplus5HacQ2HnD-IN Those two models have 1GB network interfaces dual band WiFi 4 cores with good performance for firewalling or VPN at high bandwith If you are looking for a cheap solution, I'm quite happy with the hAP ac^2 I have at...
by nostromog
Sat Jun 01, 2019 2:57 pm
Forum: General
Topic: Please add the ability to choose Proposal
Replies: 12
Views: 4531

Re: Please add the ability to choose Proposal

Why is the use-ipsec=yes a bad thing? It is not a bad thing if you just want to protect a connection. What tomaskir said is that if you want to do an "in-depth IPSec config" it is better not to use this parameters and to create the policies for the tunnels yourself. The solution proposed ...
by nostromog
Sat May 25, 2019 7:49 pm
Forum: General
Topic: Download over xDSL, Upload over 4G LTE
Replies: 10
Views: 2505

Re: Download over xDSL, Upload over 4G LTE

(...) In the system perspective, you have the router at the site with poor ADSL upload, let's call it the VPN client for simplicity, and the router with good connectivity and public IP address somewhere else - let's call it the VPN server. There are two VPN tunnels established between the two, one ...
by nostromog
Thu May 16, 2019 2:40 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157224

Re: v6.45beta [testing] is released!

Hi Mikrotik Are you aware if Router OS is patched for this threat? https://www.tomsguide.com/us/zombieload-attack-intel-what-to-do,news-30082.html I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched h...
by nostromog
Sat May 11, 2019 10:05 pm
Forum: Scripting
Topic: ping time script
Replies: 1
Views: 1980

Re: ping time script

It is complicated as the ping command does not offer many options in RouterOS. You could do something like :if ([:ping 1.1.1.1 count=10 interval=90ms]<8) do={:put something} This will execute the do= block if less than 8 out of 10 pings arrive in less than 90ms. You could tune: The number of attempt...
by nostromog
Fri May 10, 2019 5:23 pm
Forum: Scripting
Topic: Routing exeptions for connections from the routers itself
Replies: 7
Views: 2268

Re: Routing exeptions for connections from the routers itself

Here's a challenge for the routing experts :-) I have a script that uses the Telegram messenger API to notify about logins, errors, etc. on a router; this is done by "/tool fetch url="https://api.telegram.org/bot...." in a script. Since api.telegram.org is blocked in several countrie...
by nostromog
Tue May 07, 2019 8:11 pm
Forum: Wireless Networking
Topic: MUM Wireless to Wireless
Replies: 6
Views: 1831

Re: MUM Wireless to Wireless

https://mum.mikrotik.com/presentations/NL19/presentation_6878_1556787638.pdf Can somebody explain what this chap is doing in basic terms because i find it very confusing and have no idea of any applications for the magic he described. A wireless interface in routeros can be in several modes. Some s...
by nostromog
Tue May 07, 2019 5:21 pm
Forum: General
Topic: MTU "caching"
Replies: 5
Views: 1676

Re: MTU "caching"

Routerboard has a linux kernel version 3 underlying it. I don't really remember if linux was having the same behaviour now than then (a few things around route caching have changed), but the current behaviour is: * linux does path MTU discovery as needed (on receipt of ICMP fragmentation needed mess...
by nostromog
Sun May 05, 2019 6:50 pm
Forum: Scripting
Topic: Power out notification
Replies: 11
Views: 4794

Re: Power out notification

Detecting incoming power failure looks hard to impossible, but one possible way to very quickly/statelessly delivering a message is sending a ping of a specific size to a given server. Use the size of the ping as a "return code". You could simply execute something like: /ping myserver size...
by nostromog
Sun May 05, 2019 6:00 pm
Forum: Scripting
Topic: Detecting wireless roaming
Replies: 1
Views: 1361

Re: Detecting wireless roaming

A tentative solution, the best I could come with: # ensure that registration/dhcp lease are current... do { :local GatewayIP [/ip dhcp-client get [find interface="wan-bridge"] gateway ] :local GatewayMac [/ip arp get [find address=$GatewayIP] mac-address ] :if (([:len [/interface bridge ho...
by nostromog
Sat May 04, 2019 5:53 pm
Forum: Useful user articles
Topic: How to opitimize list of IP4 addresses
Replies: 7
Views: 14296

Re: How to opitimize list of IP4 addresses

I think it is not working 100% right. Example. Llet's get all facebook IPv4 address ranges and process them with your program: $ (for orig in AS32934 AS63293 AS54115; do whois -h whois.radb.net -- "-i origin $orig"; done) | grep route: | awk '{print $2}' >facebook4.txt $ gcc -o optimizeip ...
by nostromog
Wed May 01, 2019 9:38 pm
Forum: Scripting
Topic: Detecting wireless roaming
Replies: 1
Views: 1361

Detecting wireless roaming

Hi, I have a problem with a travel router relative to station mode and connect lists I set up a mAP Lite to connect as a station to different wifi APs using a connect list, and bridged it with a virtual AP. /interface wireless security-profiles set [ find default=yes ] group-ciphers="" sup...
by nostromog
Mon Apr 22, 2019 2:06 pm
Forum: Scripting
Topic: Reading POE status with script
Replies: 7
Views: 4884

Re: Reading POE status with script

This works for me:
{
  :local test ([/interface ethernet poe monitor ether5 once as-value ]->"poe-out");
  :put $test
}
It needs once to ensure it finishes, and as-value to return the resulting data structure.
by nostromog
Fri Apr 19, 2019 1:03 am
Forum: Announcements
Topic: IP Cloud
Replies: 79
Views: 159875

Re: IP Cloud

IP Cloud services include: Time-zone detection, that is enabled by default. And fails spectacularly when I'm in London, systematically thinking that I'm in Europe/Tallin: [user@router] > /system clock print time: 00:50:19 date: apr/19/2019 time-zone-autodetect: yes time-zone-name: Europe/Tallinn gm...
by nostromog
Thu Apr 18, 2019 12:32 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157224

Re: v6.45beta [testing] is released!

Also, I tried to netinstall once and was not working, it seems to be really tricky with linux machines and difficult reset procedures... Connect your machine and router to an switch, then run netinstall with Wine as sudo and will work flawlessly. I have no switch, I connected them straight, which g...
by nostromog
Tue Apr 16, 2019 11:50 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157224

Re: v6.45beta [testing] is released!

Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%? Almost certain way would be netinstall directly to desired ROS version. And then import config from textual export. I'm leaving the place where the machine that failed to upgrade yesterday is in a few hours, not...
by nostromog
Tue Apr 16, 2019 7:06 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157224

Re: v6.45beta [testing] is released!

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration: /ip ipsec peer add exchange-mode=ike2 name=router passive=yes /ip ipsec policy group add name=RoadWa...
by nostromog
Sat Apr 13, 2019 10:16 pm
Forum: Beginner Basics
Topic: Router for my new home!
Replies: 14
Views: 3533

Re: Router for my new home!

Hey mate, Greetings to all. I'm a new member in this community. I hope this is the right place to start my issue here. I need a router for my new home with 3 bedrooms. Which one would be reliable? Thank you so much for your reply. Things to consider: How is the upstream: Mikrotik has some routers t...
by nostromog
Mon Apr 08, 2019 7:45 pm
Forum: Wireless Networking
Topic: hAP ac wireless problem
Replies: 8
Views: 2756

Re: hAP ac wireless problem

I bought hAP ac router and don't changed default settings. I have problem with wireless. Every time when I measured speed, on laptop result is about 80Mbps, but on mobile devices show about 50Mbps. Why on mobile devices speed flow is not max? I checked here, with different routers, but I find, in r...
by nostromog
Mon Apr 08, 2019 12:27 pm
Forum: General
Topic: [Feature request] Address List extension
Replies: 11
Views: 4206

Re: [Feature request] Address List extension

I wish I knew how to deduplicate it.
When I tried ipv4 it was failing due to a duplicate, but changing sort -> sort -u makes it load. I edited the post. Removing entries that fall "inside"other entries, though, is a non-trivial programming problem.
by nostromog
Sun Apr 07, 2019 10:57 am
Forum: General
Topic: [Feature request] Address List extension
Replies: 11
Views: 4206

Re: [Feature request] Address List extension

EDIT: Change sort to sort -u so that no full duplicates remain. How could we use this: whois -h whois.radb.net -- '-i origin AS15169' | grep ^route Which gets every IP address range Google uses Into a Mikrotik address list? Those two give separate raw prefix lists, one for IPv4 and another for IPv6...
by nostromog
Fri Apr 05, 2019 2:12 pm
Forum: General
Topic: IPv6 connection attempts on port 35211
Replies: 0
Views: 828

IPv6 connection attempts on port 35211

I'm seeing connection attempts from a growing number of IPv6 addresses to port 35211, both UDP and TCP SYN packets. The connections target sometimes existing addresses but sometimes non-existing internal IPv6 addresses, so I'm not sure if it is an attempt to use me for distributed DoS... I'm using a...
by nostromog
Fri Apr 05, 2019 1:32 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 80949

Re: UKNOF 43 CVE

@pe1chl, question: in your setup externally initiated ipv6 traffic is disallowed right? Yes, externally initiated IPv6 traffic to random addresses is disallowed. I added this when NDP exhaustion attacks were discussed. Due to the address list, only systems that have initiated outbound traffic (with...
by nostromog
Fri Apr 05, 2019 2:05 am
Forum: Announcements
Topic: MikroTik smartphone app (ex Tik-App)
Replies: 487
Views: 270757

Re: Tik App, MikroTik android utility ALPHA test

Just wanted to chime in that the APP is working great ---> Router accessed remotely via IKEv2 connection to get to the router and then access APP once internal to the router. Fully agreed, last versions are good! One nit: I have a mAL Lite as Travel Router, and it has the main wireless interface in...
by nostromog
Wed Apr 03, 2019 4:35 pm
Forum: Scripting
Topic: Write IP to log
Replies: 4
Views: 1983

Re: Write IP to log

Hi, Thanks a lot but unfortunately it isn't working. I even put a delay of 45s but no luck :-( #Get Ip And Save it To "RFC_WAN_IP.txt" File In Mikrotik /tool fetch url="http://myip.dnsomatic.com/RFC_WAN_IP.txt" mode=http delay 45s #Save Ip From "RFC_WAN_IP.txt" File To...
by nostromog
Sun Mar 31, 2019 9:46 pm
Forum: General
Topic: PPPoE server IP conflict
Replies: 3
Views: 1792

Re: PPPoE server IP conflict

My big trouble was: The PPPoE server gave a IP (from pool) to a client that is in use for another client (that have remote address with static IP). On PPP Active Connections have showed 2 clients with same IP. 1) Is that a BUG on RouterOS or does it do this as a feature? My guess is that the remote...
by nostromog
Sat Mar 30, 2019 5:53 pm
Forum: General
Topic: dial-on-demand and /ipv6 settings accept-router-advertisements
Replies: 0
Views: 961

dial-on-demand and /ipv6 settings accept-router-advertisements

I wonder what might be the relation between those two settings, apparently fully unrelated but I have a number of on-demand connection here that stopped to work as soon as I changed the setting from the default value of "yes-if-forwarding-disabled" to "yes", and started working a...
by nostromog
Sat Mar 30, 2019 9:19 am
Forum: General
Topic: How to filter internal traffic.
Replies: 3
Views: 1039

Re: How to filter internal traffic.

Hi, Is it possible to filter internal traffic? Example - My network ID - 192.168.3.0 HOST A - 192.168.3.10 HOST B - 192.168.3.20 HOST B is listening to pot 22. Now, I want to block HOST A (192.168.3.10) to access HOST B (192.168.3.20) with port 22. Thanks.. I'm not sure if you mean the feature of W...
by nostromog
Fri Mar 29, 2019 1:06 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 2356

Re: ikev2 mikrotik to mikrotik strange behaviour

It is precisely this rule that causes the problem. If I disable it, no packet loss, if I enable it, packet loss ~ 40-60% [admin@MikroTik] > /ip firewall filter print where action=fasttrack-connection Flags: X - disabled, I - invalid, D - dynamic 0 X ;;; defconf: fasttrack chain=forward action=fasttr...
by nostromog
Fri Mar 29, 2019 10:34 am
Forum: General
Topic: DHCP keeps broadcasting and can not stop it!
Replies: 5
Views: 4824

Re: DHCP keeps broadcasting and can not stop it!

Check the status of /interface detect-internet print

For each interface to be checked it will send a dhcp discover packet per second to peep if it is a lan (it considers lan an interface where a dhcp-server exists).
by nostromog
Thu Mar 28, 2019 8:14 pm
Forum: Wireless Networking
Topic: Home glamourous Mesh Wi-Fi?
Replies: 2
Views: 1533

Re: Home glamourous Mesh Wi-Fi?

by nostromog
Thu Mar 28, 2019 7:54 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 2356

Re: ikev2 mikrotik to mikrotik strange behaviour

Must be caused by FastTrack. Exclude the traffic subject for IPsec processing from being FastTracked in firewall's forward chain by adding accept rules before the action=fasttrack-connection rule. I'm not sure how to exclude this traffic. I already have firewall rules (this is the beginning of /ip ...
by nostromog
Thu Mar 28, 2019 2:00 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 2356

Re: ikev2 mikrotik to mikrotik strange behaviour

Sounds very weird. I would try to locate the issue more precisely with packet sniffer. Ping is bidirectional traffic. With packet sniffer you could verify whether the packet is at least received on the other end. Also verify ESP or UDP/4500 packets are properly sent out and received. Just setting /...
by nostromog
Thu Mar 28, 2019 12:38 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 2356

Re: ikev2 mikrotik to mikrotik strange behaviour

What model routers are involved? Is hardware offloading used? Do you see anything suspicious under IPsec statistics? The server is a hAP ac, running 6.44.1. For what I know it does not support hardware offloading. It is in a PPPOE based ISP. Under IPsec statistics there are a few non-zero items, bu...
by nostromog
Wed Mar 27, 2019 6:50 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 2356

ikev2 mikrotik to mikrotik strange behaviour

I have set up a ikev2 network between mikrotiks, like this. The server has two networks, one local 192.168.88.0/254 and one for the current vpn: 192.168.89.0/24. I'm setting a new VPN (192.168.90.0/24) and want it to be used to access all three networks, In the server, this is the result of /ip ipse...
by nostromog
Tue Mar 26, 2019 8:08 pm
Forum: Beginner Basics
Topic: How to remove the static switch from this setup ?
Replies: 16
Views: 2457

Re: How to remove the static switch from this setup ?

connect isp utp directly to Mikrotik ether1 connect your home router to etherXX (any open port) create a new bridge make ether1 and etherXX part of that bridge. Done You will also have to substitute the new bridge name in the WAN interface list, and anywhere else that ether1 appears. For instance, ...
by nostromog
Thu Mar 21, 2019 10:32 am
Forum: Announcements
Topic: MikroTik smartphone app (ex Tik-App)
Replies: 487
Views: 270757

Re: Tik App, MikroTik android utility ALPHA test

Well the above posters already gave a hint. You have joined a private beta program and installed that invite-only version. You should delete it, delete the "TestFlight" app which manages the Beta programs, and then install the application that is meant for everyone (the one in the AppStor...
by nostromog
Wed Mar 20, 2019 1:09 pm
Forum: General
Topic: IP IPsec Package missing in router
Replies: 3
Views: 1484

Re: IP IPsec Package missing in router

/ip ipsec export --- hangs the router console terminal session. @Mikrotik support, what could be the issue. I had the same thing happening in a machine 100% CPU and unable IPsec. See 6.44 thread. Only solution I found was disable security, reset+restore from backup, re-enable security Sent from my ...
by nostromog
Tue Mar 19, 2019 11:12 pm
Forum: General
Topic: How to replicate home WiFi while staying in a hotel (VPN, capsman)?
Replies: 9
Views: 4179

Re: How to replicate home WiFi while staying in a hotel (VPN, capsman)?

It is possible, but in the general case it is very tricky. I'm building myself a travel router with a mAP Lite, mostly following the ideas from Lorenzo Bussatti ( https://www.youtube.com/watch?v=VeZetH9uX_Y ). I have it mostly working with a few VPN networks dialled on demand to route private ranges...
by nostromog
Mon Mar 18, 2019 8:24 am
Forum: General
Topic: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]
Replies: 19
Views: 14562

Re: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]

If the ISP uses SLAAC on the point to point link between you and them then there is a setting that allows the router to get an address that way. I believe it is global though. Makes your device behave like a client as in IPv6 those are the devices that should react to other routers RAs. They "...
by nostromog
Sun Mar 17, 2019 7:21 pm
Forum: Beginner Basics
Topic: Recommend way to block Ads with Mikrotik
Replies: 64
Views: 68272

Re: Recommend way to block Ads with Mikrotik

Hello, are you using Mikrotik to block ads? I know there is i.e. Pi-hole but I'm afraid pages loading will work slower if there will be requests to raspberry. I made some tests with a pi-hole running with docker in my laptop and I don't think any slowing will be significant. But I don't have a plac...
by nostromog
Sat Mar 16, 2019 11:35 pm
Forum: General
Topic: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]
Replies: 19
Views: 14562

Re: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]

My provider gives a /56 per client, using prefix delegation. All I had to do is to add a ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=mypool request=prefix to get the /56. If it does not work with your provider, try "request=address" After you get a prefix you can ...
by nostromog
Sat Mar 16, 2019 10:39 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 85
Views: 50253

Re: v6.44.1 [stable] is released!

FYI The 4th machine that I upgraded to 6.44.1 (from 6.44) started to show 100% CPU (profiled to be in ipsec) and would not respond to "/ export" or even "/ip ipsec remote-peers print". I could disable security and reboot and it was working, but without access to the disabled conf...
by nostromog
Fri Mar 15, 2019 8:25 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 85
Views: 50253

Re: v6.44.1 [stable] is released!

What for *) winbox - added "use-local-address" parameter in "IP/Cloud" menu; What I have seen I'd it means that IP/Cloud will expose your internal addresses in DNS. If you have a router inside your company that got 192.168.88.206 this will be the addresse it will return where wi...
by nostromog
Thu Mar 14, 2019 11:02 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 85
Views: 50253

Re: v6.44.1 [stable] is released!

What for *) winbox - added "use-local-address" parameter in "IP/Cloud" menu; What I have seen I'd it means that IP/Cloud will expose your internal addresses in DNS. If you have a router inside your company that got 192.168.88.206 this will be the addresse it will return Sent fro...
by nostromog
Thu Mar 14, 2019 4:19 pm
Forum: General
Topic: problems with import .rsc files on mAP Lite
Replies: 4
Views: 2560

Re: problems with import .rsc files on mAP Lite

Hi all, I wanted to export the configuration of my mAP lite in a *.rsc and import it after a reset of the device, but it doesn´t work. The device gets in some status it doesn´t work any more and a have to hard reset it via reset button. I had the same problem, caused by a Certificate for a VPN: it ...
by nostromog
Wed Mar 13, 2019 6:41 pm
Forum: Scripting
Topic: Useful scripts
Replies: 116
Views: 295779

Re: Useful scripts

However, the script would have to run every 10 seconds... Is there another way to have the firewall rule trigger a script? I don't think so. There are a few places where scripts can be triggered in response to events: in /ppp profile (on-up, on-down), useful for all ppp-based interfaces (pptp, l2tp...
by nostromog
Wed Mar 13, 2019 9:45 am
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 7794

Re: How to really make backups (by script) ?

Use export. Upload export.rsc. Do /system reset-configuration no-defaults=yes run-after-reset=export.rsc. This will reset device without default values and import the new settings. Don't forget to backup certificates and keys, if you have VPN server/client definitions. Also files if you have a cust...
by nostromog
Mon Mar 11, 2019 4:37 pm
Forum: Forwarding Protocols
Topic: PPTP problem - empty winbox [SOLVED]
Replies: 7
Views: 12204

Re: PPTP problem - empty winbox [SOLVED]

Ensure that your firewall is allowing GRE related connections. If you don't it will not work

Enviado desde mi Redmi Note 5 mediante Tapatalk


by nostromog
Fri Mar 08, 2019 9:58 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 218
Views: 96535

Re: v6.44 [stable] is released!

I still do not get what really is this new power line. If you compare this https://i.mt.lv/cdn/rb_files/mAP_lite-180606124033.png (the block diagram of a mAP Lite with this https://i.mt.lv/cdn/rb_files/PL7411-2nD-181218095520.png you will see that what they have presented is a power supply that tur...
by nostromog
Fri Mar 08, 2019 2:31 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 218
Views: 96535

Re: v6.44 [stable] is released!

Interface for new PWR line adapter comming next months.
hAP mini & hAP lite has it. Basicly power the device and transfer data via microusb port.
Also the mAP Lite 2nd (at least mine, revision r2. I'm not sure about older ones)

I just bought a few and they came with this surprise. :)
by nostromog
Fri Mar 08, 2019 8:18 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 5679

Re: ARP/DHCP issue [SOLVED]

When a host behind a NAT wants to reach an Internet address, how does that work? Does it do an ARP request or does it send the packets straight to the gateway since it already assumes the address not to be on the same L2 network? There are two kind of routes in the IP protocol: interface routes (or...
by nostromog
Fri Mar 08, 2019 8:01 am
Forum: General
Topic: Wireless Recommendation Wanted
Replies: 7
Views: 1747

Re: Wireless Recommendation Wanted

The cAP AC and the hAP ac² are the best. The hAP has 5 ports if you need them. These units are not outdoor rated, if you need that you'll need to consider the wAP AC. Do you think inside an RV type environment would be considered "outside"? It would be protected from rain and dust, but wo...
by nostromog
Wed Mar 06, 2019 1:53 am
Forum: General
Topic: dynamic ip in a dst-nat rule
Replies: 5
Views: 2599

Re: dynamic ip in a dst-nat rule

Question is if I somehow can say to the dst-address in the NAT rule "use the address you got assigned on ether1" ? In a separate thread somewhere around I read that one way would be: * activate /ip cloud set ddns-enabled=yes update-time=no (for time it is better to use ntp) * create a myp...
by nostromog
Tue Mar 05, 2019 8:16 pm
Forum: General
Topic: DHCPv6 Prefix Request Response not happening. How to Trace Debug?
Replies: 9
Views: 3594

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

This worked for my provider: /ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=mypool \ pool-prefix-length=60 request=prefix And the dhcp client will create a dynamic /ipv6 pool that will deliver /60 networks. ether1 is the connection to my provider. I also address my local netw...
by nostromog
Fri Mar 01, 2019 11:20 pm
Forum: Beginner Basics
Topic: DHCP Server Issues
Replies: 26
Views: 7701

Re: DHCP Server Issues

/interface detect-internet snoops and sets up dynamic dhcp-server in interfaces. This might be confusing some computers.

If you have it configured and you are not using it, which usually only is worth in very dynamic situations, you might disable it to see if it helps.
by nostromog
Wed Feb 27, 2019 10:18 pm
Forum: Beginner Basics
Topic: VPN
Replies: 1
Views: 820

Re: VPN

Sirs, good morning! I wonder if it is possible to leave mikrotik with two VPN configurations, one pptp and another l2tp, both active and functional. * Do you mean as a server? The answer is yes. Additionally, the users can remain the same. I migrated PPTP -> L2TP/IPsec very easily: - ensure /ppp se...
by nostromog
Wed Feb 27, 2019 1:00 pm
Forum: Scripting
Topic: ReNumber ip address via script ?
Replies: 2
Views: 1383

Re: ReNumber ip address via script ?

It is tricky. I would do "/ export file=config-..." for all of them, or at least the main types, and get the files via scp or ftp. Then you can look at the places that need renumbering. I don't use ospf, but I'd still need to change things in a lot of submenus: /ip pool, /ppp profile, /ip ...
by nostromog
Wed Feb 27, 2019 11:57 am
Forum: General
Topic: Exclude guest network from fasttrack to limit its bandwidth with simple queue - possible? [SOLVED]
Replies: 5
Views: 2537

Re: Exclude guest network from fasttrack to limit its bandwidth with simple queue - possible? [SOLVED]

It is possible that the confusion has arisen because the accept=established,related,untracked works with long term connections, so when you make changes you need to wait for existing connections to end, or else remove them (which will cause a storm of invalid packets...) You can watch the existing c...
by nostromog
Wed Feb 27, 2019 11:06 am
Forum: Beginner Basics
Topic: SSL/SSH/WINBOX to router not working using the ipv6 address
Replies: 1
Views: 1253

Re: SSL/SSH/WINBOX to router not working using the ipv6 address

Edit my own typo /7 -> /8 Hi, you have some typos in your firewall rules. Multicast addresses are ff00::/8, and link-local ff80::/10 (twice, in the address-list and in the multicast rule. See https://www.ripe.net/participate/member-support/lir-basics/ipv6_reference_card.pdf Change as /ipv6 firewall...
by nostromog
Tue Feb 26, 2019 1:24 am
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 2354

Re: IPv6 routing with several interfaces [SOLVED]

To solve (sort of) my own question, in case anyone finds it useful: I revisited the issue in a more realistic case where I got two different /64 addresses in office routers: * a nnaa:ttii:vvee:main::/64 comes from the native pool, and I use it as /ipv6 address add address=::1 from-pool=wlan interfac...
by nostromog
Fri Feb 22, 2019 12:11 am
Forum: Beginner Basics
Topic: Firewall Rule for Remote Connection (ts)
Replies: 4
Views: 1506

Re: Firewall Rule for Remote Connection (ts)

For ssh connections I'm doing this once per hour: do { :foreach mess in=[/log find where message~"failure.*via ssh" ] do={ :local tim [/log get $mess time]; :local line [/log get $mess message]; :local fr [:find $line "from "]; :local addr [:pick $line ($fr+5) [:find $line "...
by nostromog
Thu Feb 21, 2019 12:39 pm
Forum: Beginner Basics
Topic: L2TP/IPsec connection without sharing internet [SOLVED]
Replies: 6
Views: 9503

Re: L2TP/IPsec connection without sharing internet [SOLVED]

Hi All I configured our RB931 to connect to a remote L2TP server, which works fine, but I would prefer if all internet traffic did not go across the tunnel as well. I remember on Windows there was an option to unselect (something about remote gateway). How would I do this on our Mikrotik? Thanks, R...
by nostromog
Sat Feb 16, 2019 1:53 am
Forum: Announcements
Topic: IP Cloud
Replies: 79
Views: 159875

Re: IP Cloud

IP Cloud is made so that it does not pose a security threat. It will assign FQDN to IP address of your router. In RouterOS 6.43 or newer - it will have both A and Quad A entry maintained by the router (if both v4 and v6 connections can reach our backend). There is a clear problem not being able to ...
by nostromog
Mon Feb 11, 2019 11:28 am
Forum: General
Topic: RouterOS 6.7 - /queue monitor show zeroes
Replies: 1
Views: 1492

Re: RouterOS 6.7 - /queue monitor show zeroes

With
/queue monitor
I'm also seeing zero values, when there are simple queues and they are in use and dropping packets occasionally.

Also, I can't find any documentation on this option. Is
/queue monitor
a residual from old versions? something not (yet) implemented?

Thanks
by nostromog
Thu Feb 07, 2019 10:38 am
Forum: Beginner Basics
Topic: New Hap AC2 setup. Couple of questions/problems
Replies: 3
Views: 2388

Re: New Hap AC2 setup. Couple of questions/problems

Your configuration looks ok. I would check cabling issues in the ethernet lan side. You can check the status in the Mikrotik with something like this (it is from a hAP ac, slightly different as it has the sfp1 port: [admin@MikroTik] > /interface ethernet monitor [find] name: ether1 ether2 ether3 eth...
by nostromog
Sat Feb 02, 2019 9:57 am
Forum: General
Topic: Need Assistance with Syntax
Replies: 4
Views: 1211

Re: Need Assistance with Syntax

I thinks this should work /ip dhcp-server lease print where !dynamic and !disabled and !(comment~"disregard") I prefer it to: ip dhcp-server lease print where !(dynamic) && !(disabled) && !(comment~"disregard") For some reason the regex matching operator "~&q...
by nostromog
Sat Feb 02, 2019 4:44 am
Forum: General
Topic: High number of established connections for one address
Replies: 26
Views: 11044

Re: High number of established connections for one address

What is the use-case here of opening a ssh session and letting it sit for 30 minutes with NO data flowing in either direction? The established timeout is after last packet sent... Edit: actually that would even be a security issue! My use cases for this are: the boss interrupting me for half an hou...
by nostromog
Thu Jan 31, 2019 3:41 pm
Forum: General
Topic: Problem with arp
Replies: 0
Views: 1748

Problem with arp

I had yesterday a sudden, unexpected outage in a small Mikrotik router I'm using for internet temporarily. At the moment I had little firewall protection as it was a quick experiment that lasted a bit more than expected, now I have taken care of it. The setup is: * I'm running Router OS 6.43.8, a qu...
by nostromog
Sun Jan 27, 2019 4:15 pm
Forum: General
Topic: a clear configuration L2TP server on a Mikrotik router
Replies: 8
Views: 7038

Re: a clear configuration L2TP server on a Mikrotik router

Here is how to do it for iOS and Windows 10. Note, that the Windows 10 profile needs to be created via command line to get AES256 support. I don't have experience with Android, but generally speaking, if you can't connect you'll need to use hash-algorithm=sha1 and other less secure methods (not rec...
by nostromog
Tue Jan 01, 2019 1:42 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 28
Views: 10179

Re: Why (not) use Hairpin NAT

It is a balance between requirements. Even for a small company dealing with around 30 identities it is tricky and sometimes impossible to force all people to use our internal DNS, as there are different use cases: cloud servers connecting to server through VPN need stable addressing road warriors te...
by nostromog
Thu Dec 13, 2018 1:03 am
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 2354

IPv6 routing with several interfaces [SOLVED]

I have a router in one provider who didn't read RFC 6177 and thus assigns my MikroTik router 1 (YES, I said ONE) IPv6 in ether1, using DHCPv6. It also tells me gently to set up a default router to this interface. They also block protocol 41, because they don't want my life to be too easy. To be able...
by nostromog
Tue Dec 11, 2018 2:04 pm
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 7
Views: 11908

Re: ikev2 ports [SOLVED]

Okay, 50% of mystery solved :) Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain? IPsec works as follow: * IKE (Internet Key Exchange) protocol is used to set up a security association (SA) by agreeing in short term crypto parameters. IKE requires UDP ...
by nostromog
Wed Dec 05, 2018 11:59 am
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 33839

Re: v6.43.7 [stable] is released!

My data point. I updated 2.5 routers (.5 is the testing one, an hAP ac lite, and 2 production hAP ac). Two small offices with some tunneling and a VPN stuff. Everything seems to work ok after a few hours, nothing happened re: configuration changes, etc. Really smooth. It looks slightly more performa...
by nostromog
Mon Dec 03, 2018 12:09 pm
Forum: General
Topic: How are hardware ports associated with names
Replies: 5
Views: 2810

Re: How are hardware ports associated with names

As for the confusion between user-assigned interface names and the original names, here's what can help you: foreach ifid in=[interface find where default-name~"."] do={put ([/interface get $ifid name]." is a user-defined alias of ".[interface get $ifid default-name])} Slightly ...
by nostromog
Thu Nov 29, 2018 2:05 pm
Forum: Wireless Networking
Topic: WAP with IPv6
Replies: 8
Views: 1753

Re: WAP with IPv6

I have already tried this example but I don't have LLA on the required interface wlan1 as described in the example: "We also have link local address on the interface which is created automatically for every IPv6 capable interface." Does it mean that my wlan1 interface as well as both ethe...
by nostromog
Wed Oct 17, 2018 1:44 pm
Forum: General
Topic: ROS 6.43.2 export config BUG
Replies: 3
Views: 1135

Re: ROS 6.43.2 export config BUG

I found another bug that could quality as a security problem: [admin@MyMikroTik] > /interface 6to4 export hide-sensitive # oct/17/2018 12:40:30 by RouterOS 6.43.2 # software id = 07CG-QIMK # # model = RouterBOARD 962UiGS-5HacT2HnT # serial number = NNNNA123NNN /interface 6to4 add ipsec-secret=REALLY...
by nostromog
Sun Oct 14, 2018 8:23 pm
Forum: General
Topic: Silly feature request
Replies: 0
Views: 738

Silly feature request

For home or SOHO users it might be nice to have: * a new type of /system logging action, something like "led" * a new type of firewall action (or maybe a led parameter), so that a firewall rule would trigger... * a new type of led type, sys-alert So I could have the red led in the routers ...
by nostromog
Thu Oct 11, 2018 12:15 am
Forum: Beginner Basics
Topic: Proper model and settings for small ofice
Replies: 4
Views: 1062

Re: Proper model and settings for small ofice

... a suitable Microtik model to combine 2 vendors, as there is often no connection with the current vendor. We did something similar (but for load balance) recently, in an office a bit bigger than yours and IT, so with heavy use things such as git or docker images... The office has 1 server and 4 ...
by nostromog
Wed Oct 10, 2018 10:27 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 4520

Re: Problem with 6to4 inside PPPoE [SOLVED]

Solved!

I no longer need workarounds, and can confirm that for me HE tunnels work allright:

after a firmware upgrade of my HGU from _n43 to _n53 now myHE tunnel works like a charm!
by nostromog
Wed Oct 10, 2018 3:48 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 4520

Re: Problem with 6to4 inside PPPoE [SOLVED]

Why you don't want to make HE tunnel mtu lower than pppoe tunnel mtu? Where have you got the idea that I don't want? When PPPoE tunnel MTU is 1492, 6to4 tunnel MTU is 1472, 20 bytes smaller when PPPoE tunnel MTU is 1480 (what MikroTik negotiates), 6to4 tunnel MTU is 1460... 20 bytes smaller again a...
by nostromog
Wed Oct 10, 2018 11:10 am
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 4520

Re: Problem with 6to4 inside PPPoE [SOLVED]

So what MTU do you have on the 6to4 after all? And in the HE cabinet? Yesterday night I made the final test: I patched rp-pppoe code so that it would accept packets with the wrong length at header field and run PPPoE + HE 6to4 tunnel in my laptop. $ git clone git@github.com:Distrotech/rp-pppoe.git ...
by nostromog
Wed Oct 10, 2018 1:42 am
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 4520

Re: Problem with 6to4 inside PPPoE [SOLVED]

But I have tried auto, 1500 (upping my L2 MTU), 1492, 1488, 1480 (which is the one that gets selected when I say "auto"). PPPoE default is 1492, 6to4 substracts 20 (that is why “auto” is 1480=1500-20), so you should at least try 1472. And specify it on both ends - yours and in HE settings...
by nostromog
Tue Oct 09, 2018 4:58 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 4520

Re: Problem with 6to4 inside PPPoE [SOLVED]

Why you using ethernet interface for pppoe traffic, when your transport is ISP vlan? If you meant that in your ISP infra exists vlan, you don't need worry about it, cause ISP had to pop up his l2 mtu on all his switches. VLANs are only visible in the "outer" side, when I mirror the fibre ...
by nostromog
Tue Oct 09, 2018 2:05 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 4520

Re: Problem with 6to4 inside PPPoE [SOLVED]

There it is, I edited the tunnel endpoints and I'm not posting the addresses/routes or serial numbers. BTW, /interface 6to4 export hide-sensitive does NOT hide the "ipsec-secret" attribute that I have in a different, ipsec protected, 6to4 tunnel that works perfectly. :) As I said, ICMP, UD...
by nostromog
Mon Oct 08, 2018 7:28 pm
Forum: General
Topic: Problem with 6to4 inside PPPoE [SOLVED]
Replies: 15
Views: 4520

Problem with 6to4 inside PPPoE [SOLVED]

I have had a long nightmare trying to connect my machine to Hurricane Electric tunnelbroker. Now it is no longer a nightmare, at least I know the problem, even if I have not yet found a solution. Context: * My provider, Telefonica/Movistar, dominant operator in Spain, is well known for its neglect t...
by nostromog
Sun Sep 23, 2018 6:27 pm
Forum: Scripting
Topic: "No such item (4)" while counting connections
Replies: 11
Views: 6001

Re: "No such item (4)" while counting connections

I think using
:set result [:len [/ip firewall connection find where dst-address~":80"]]
is cleaner. And in my experience, for some arcane reason, avoids the non-atomic list traversal.
by nostromog
Sun Sep 23, 2018 11:35 am
Forum: Beginner Basics
Topic: Router connections
Replies: 5
Views: 1897

Re: Router connections

TIME-WAIT is one of the states through which the TCP protocol state machine models its connections

This is a reasonable explanation of it: https://community.apigee.com/articles/7 ... ained.html
by nostromog
Wed Sep 19, 2018 1:07 am
Forum: General
Topic: NAT out over multiple IPs
Replies: 2
Views: 1136

Re: NAT out over multiple IPs

This was working for me (with two addresses only): https://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade The idea is to send packets starting connections, be them forwarded or originated locally, randomly through the N addresses, and to mark for use of the same IP packets received from ...
by nostromog
Tue Sep 18, 2018 5:31 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 5066

Re: Port 60000 attacks, anyone info on this?

I'm seeing them too. From two different routers: [admin@MikroTik] > /log print count-only where message~":60000->" 6 and [admin@MikroTik] > /log print count-only where message~":60000->" 14 They are stealth in the sense that they avoid typical blacklisting attempts; just a few co...
by nostromog
Mon Sep 17, 2018 8:37 pm
Forum: Beginner Basics
Topic: How to configure VPN on my Microtik?
Replies: 2
Views: 1354

Re: How to configure VPN on my Microtik?

You need to know the technology of your provider. RouterOS offers you # L2TP client /interface l2tp-client add name="my-provider" connect-to="ip" user="myusername" password="mypassword" # Open VPN client /interface ovpn-client add... #same options # SSTP clien...
by nostromog
Fri Sep 14, 2018 1:06 am
Forum: Scripting
Topic: Parser bug
Replies: 1
Views: 968

Parser bug

While trying to code a small script I found a problem with "=" in associative arrays: [admin@MikroTik] > :put ({"a"."b"=1;"b"."a"=2;"ab"=3}); false;false;ab=3 Basically, in an array, if the key is not a literal, the equal sign is taken as a...
by nostromog
Tue Sep 11, 2018 5:25 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 147
Views: 70814

Re: v6.43 [current] is released!

I upgraded one hAPac to 6.43 about 27 hours ago, everything is working well as far as I can tell. I'll upgrade our other machines during the weekend. The machine I upgraded was the one running 6.43rc64 before (never got time to test the last rc). it looks much faster now, but I guess rc are built wi...
by nostromog
Sat Sep 08, 2018 3:19 am
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 41
Views: 11324

Re: [SOLVED] IPv6 pings work, webpage won't load

Yes, my router is the client. I have experimented with those values, but everything is consistent and ipv4 works like a charm. From linux I can ping ipv6.tunnelbroker.net with up to 1360 bytes, ipv6.google.com up to 1232 bytes, more than this (no upper limit) is a blackhole for both: Have you tried...
by nostromog
Sat Sep 08, 2018 2:59 am
Forum: General
Topic: iPhone tethering to Mikrotik?
Replies: 13
Views: 13504

Re: iPhone tethering to Mikrotik?

I have tried USB tethering with an android phone, and it works well:

* Connect the phone to the RB, it will be seen as lte1
* Go the Tethering and select USB tethering

I tried it with a phone that was connected to a different wifi that the router, and alsoe using the SIM, and worked well.
by nostromog
Wed Aug 29, 2018 12:08 am
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 41
Views: 11324

Re: [SOLVED] IPv6 pings work, webpage won't load

Does not make any difference, I tried all the combinations of values. Additionally I restricted all MTUs (of both the 6to4 and their side) to 1280 as they instruct to do, or left me/them as 1480, 1472, 1460, 1452... Always the same behaviour. I'm a bit lost. I tried the mangle rules, but no change....
by nostromog
Tue Aug 28, 2018 7:25 pm
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 41
Views: 11324

Re: [SOLVED] IPv6 pings work, webpage won't load

mducharme If using HE tunnelbroker over PPPoE you need to lower the MTU on the tunnelbroker side, the default on their end is 1480 which is too big if you have PPPoE overhead. If your PPPoE is 1480, decrease that setting to 1460, and then it should be OK. It is done through their web interface under...
by nostromog
Mon Aug 27, 2018 6:09 pm
Forum: General
Topic: pppoe-out connection
Replies: 13
Views: 4061

Re: pppoe-out connection

One way to force script execution when a connection changes state is to use the on-up / on-down attributes of the /ppp profiles. So you could have something like: /interface pppoe-client add add-default-route=yes disabled=no interface=ether1 max-mru=1500 max-mtu=1500 mrru=1614 name=pppoe-out1 passwo...
by nostromog
Mon Aug 27, 2018 2:24 pm
Forum: Announcements
Topic: v6.42.7 [current] is released!
Replies: 159
Views: 69855

Re: v6.42.7 [current] is released!

I upgraded during the weekend 1 hap ac (from 6.42.6) and 1 751G-2HnD (from 6.42.5 firmware 6.42.4, as I had forgotten one reboot). No problem in any of both.

In both I changed to "disable-pmkid=yes". No problem with wifi has been reported (and I warned the people in advance).
by nostromog
Sat Aug 25, 2018 3:24 am
Forum: General
Topic: [SOLVED] IPv6 pings work, webpage won't load
Replies: 41
Views: 11324

Re: [SOLVED] IPv6 pings work, webpage won't load

I have pretty much the same problem, in my case ipv6 is a 6to4 tunnel inside a pppoe interface. Could the problem be coming from some "inherit" in do-not-fragment that makes that the ipv4 tunnel drops the ipv6 big packet, and thus the ipv6 stack never sees the error? (wild guess)
by nostromog
Mon Aug 20, 2018 7:58 pm
Forum: Scripting
Topic: Blacklisting seems popular, honeypot made simple
Replies: 12
Views: 7984

Re: Blacklisting seems popular, honeypot made simple

I wrote a small combination of white/blacklist, download and parsing of the dshield 20 top attackers lists (which I download every hour with a timeout of 1w, so it keeps growing but not beyond ~60 hosts) and fail2ban for failed ssh attempts. The combo is mostly lightweight, like yours, and is droppi...
by nostromog
Sat Aug 18, 2018 5:44 pm
Forum: Beginner Basics
Topic: Does hairping NAT works from target to itself?
Replies: 1
Views: 837

Does hairping NAT works from target to itself?

I have a setup with hairpin, and for simplicity I want to be able to test from the destination machine itself. I have router public ip<--------------------target ip target router ip-------------------->target ip router ip<--------------------target ip public ip-------------------->target ip It is no...
by nostromog
Thu Aug 16, 2018 10:54 pm
Forum: General
Topic: Scripting assistant for dummies.
Replies: 1
Views: 949

Re: Scripting assistant for dummies.

I got a lot of information from the export command. Once you have the router configured, you do / export file="config-<loc>-2018-08-16-01" And later scp admin@192.168.88.1:config-<loc>-2018-08-16-01.rsc ~/router/configs/ The name is designed so that you can have several router histories of...
by nostromog
Thu Aug 16, 2018 8:29 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 63929

Re: v6.42.6 [current]

Problem with 6.42.6 and 6.43rc51 We have 3 routers, one running 6.42.5, one 6.42.6 and the third one got 6.43rc51 while trying to solve some problems and stood there for the moment. Now, in the one with 6.42.5 /system history print works perfectly, but in the other two it produces the same output: ...
by nostromog
Tue Aug 14, 2018 10:36 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 63929

Re: v6.42.6 [current]

Problem with 6.42.6 and 6.43rc51 We have 3 routers, one running 6.42.5, one 6.42.6 and the third one got 6.43rc51 while trying to solve some problems and stood there for the moment. Now, in the one with 6.42.5 /system history print works perfectly, but in the other two it produces the same output: [...
by nostromog
Sat Aug 04, 2018 8:54 am
Forum: General
Topic: Routing/arp problem [solved]
Replies: 2
Views: 3572

Re: Routing/arp problem [solved]

After carefully discarding all the rest, I found what was the deep cause of it. I'm explaining here to help others: In my original I simplified my exposition of the problem to avoid swamping you with data. We really have dual up-streams here, and I was using the solution Dual WAN Load-Balancing with...
by nostromog
Wed Aug 01, 2018 2:23 pm
Forum: General
Topic: Routing/arp problem [solved]
Replies: 2
Views: 3572

Routing/arp problem [solved]

I have a relatively standard Mikrotik setup where the VPN connections appear as <l2tp-user> interfaces, with <vpn-address>/32 <router-vpn-address>. The internal machines are in a bridge ether3-ether5, with the upstream directly connected in ether1. I'm not sure if my problems started with some confi...
by nostromog
Sat Jul 21, 2018 8:38 pm
Forum: General
Topic: Did recent updates break Path MTU discovery ?
Replies: 1
Views: 1758

Re: Did recent updates break Path MTU discovery ?

I seem to be seeing a very similar behaviour: * we bought a new router, same model than another of our four ones, and I'm experimenting with ipv6 on it using tunnels * one of the old models, whose configuration has not been changed recently, has PPPoE as upstream, another one is natted under a PPPoE...
by nostromog
Sat Jul 21, 2018 9:48 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 63929

Re: v6.42.6 [current] Problem with ipv6

privileges IPv6 for some reason. So, when I reboot and get a new dynamic IPv4, my IPv6 needs to be told about it, but I can't because only IPv6 resolver works and I have no IPv6: [admin@MikroTikToledo] > :put [resolve www.google.com server=2001:470:20::2] 216.58.195.68 [admin@MikroTikToledo] > :put...
by nostromog
Fri Jul 20, 2018 5:25 am
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 63929

Re: v6.42.6 [current] Problem with ipv6

Are you sure IPv4 is available at all at that moment? Can you ping 1.1.1.1 or 8.8.8.8? For me it looks like you have ipv6 and no ipv4 right after reboot. You are right. While trying to solve the problem I moved the wrong rule and was dropping way too much ipv4 at that moment... After some more anal...
by nostromog
Wed Jul 18, 2018 10:44 pm
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 63929

Re: v6.42.6 [current] Problem with ipv6

Two problems I'm seeing with this update Are you sure it was working in previous releases? ;) Not really, new router and new tunnel. it was working for a while after I rebooted with ipv6 tunnel but now it does not work. The core problem, I think, is the internal resolver always asks for A records, ...
by nostromog
Wed Jul 18, 2018 4:10 pm
Forum: Announcements
Topic: v6.42.6 [current]
Replies: 102
Views: 63929

Re: v6.42.6 [current] Problem with ipv6

Two problems I'm seeing with this update, if you have operating ipv6: [admin@MikroTik] > /ping count=1 ipv6.google.com invalid value for argument address: invalid value of mac-address, mac address required invalid value for argument ipv6-address failure: dns name exists, but no appropriate record [a...