Community discussions

Search found 58 matches

by pegasus123
Sun Jun 16, 2019 7:12 am
Forum: General
Topic: QoS
Replies: 14
Views: 979

Re: QoS

You mentioned your rule already works so why not just skip youtube connections in your WEB marking

connection-mark=!YOUTUBE
by pegasus123
Sun Jun 16, 2019 6:46 am
Forum: General
Topic: Mikrotik mangle for VoIP
Replies: 3
Views: 405

Re: Mikrotik mangle for VoIP

I find ip>firewall>connection very useful to determine if i properly marked a connection especially if dealing with large conntrack

https://wiki.mikrotik.com/wiki/Manual:I ... n_tracking
by pegasus123
Thu Jun 06, 2019 11:31 am
Forum: General
Topic: Basic traffic prioritization
Replies: 8
Views: 550

Re: Basic traffic prioritization

You do not need to set limit on each priority, you can just cap overall bandswidth to 85 to 90% ideally and just arrange them accordingly to your case. The limit-at will guarantee that priority to get that amount e.g. 20mbps down /20mbps up OVERALL - 18mbps capped Priority 1 - VOIP - limit-at 5mb ma...
by pegasus123
Tue Mar 26, 2019 4:23 pm
Forum: General
Topic: Mangle rule to match https initial packet [SOLVED]
Replies: 9
Views: 509

Re: Mangle rule to match https initial packet [SOLVED]

my OpenVPN only accept the connection if the first packet is 60bytes. Connection like telnet won't get through and will be thrown to DROP rule.

Not great but works for me.
by pegasus123
Tue Mar 26, 2019 2:29 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 750

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Well i think its coming from your client not from your router since its on Forward chain
by pegasus123
Tue Mar 26, 2019 9:01 am
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 10
Views: 750

Re: wAP AC reaching out to 159.148.172.226:80 every hour

the ip is download.mikrotik.com, i just type it in my mobile. probably checking updates
by pegasus123
Sat Mar 23, 2019 10:41 am
Forum: General
Topic: iOS app reporting Internet available (limited access)
Replies: 6
Views: 950

Re: iOS app reporting Internet available (limited access)

same with android, i have no problem as well so can be ignored. probably just a bug
by pegasus123
Mon Mar 18, 2019 2:44 pm
Forum: General
Topic: Mangle rules
Replies: 4
Views: 345

Re: Mangle rules

first you mark the connection and then mark the packets. when you mark connection, you mark only the NEW connection so that you don't keep marking connections which are already marked. You will use this connection mark to mark packets. So your mark connection packet stats will be way less than packe...
by pegasus123
Tue Feb 19, 2019 11:05 am
Forum: General
Topic: Convert to Switch Chip VLAN from Bridge VLAN
Replies: 6
Views: 534

Re: Convert to Switch Chip VLAN from Bridge VLAN

When you're transferring data between different VLANs, your RBD52G is actually routing. So the performance very much depends on how firewall rules are constructed. When, on the other hand, data is transferred between different ports but within same (V)LAN, your RBD52G is performing bridging/switchi...
by pegasus123
Tue Feb 19, 2019 4:27 am
Forum: General
Topic: Convert to Switch Chip VLAN from Bridge VLAN
Replies: 6
Views: 534

Re: Convert to Switch Chip VLAN from Bridge VLAN

OK here's another update looks OK now to me, just wondering why using my vlan in my network isn't helping. Now i configured bridge only network i was able to attain GB speed. Just bridge, no VLAN https://i.imgur.com/OiY8EPt.png hers the config /interface bridge add name=bridge1 add name=bridge2_ccbo...
by pegasus123
Tue Feb 19, 2019 2:48 am
Forum: General
Topic: Convert to Switch Chip VLAN from Bridge VLAN
Replies: 6
Views: 534

Re: Convert to Switch Chip VLAN from Bridge VLAN

@sebastia, its connected to a dumb giga switch (dlink) then connected with bunch of computers. its slow when i transfer files from main to vlan_ccboot heres an iperf from MAIN to one of the computers in vlan_ccboot. https://i.imgur.com/rWPPaMz.png i just wonder if this can be improved or this is alr...
by pegasus123
Mon Feb 18, 2019 11:18 am
Forum: General
Topic: Convert to Switch Chip VLAN from Bridge VLAN
Replies: 6
Views: 534

Convert to Switch Chip VLAN from Bridge VLAN

Hi, I'm trying to understand how to do the switch chip VLAN. I already have a bridge VLAN but for some reason the network throughput from my main network and VLAN are slow. I have Hap AC2. Here's my setup The ether2 is purely wired (Pvid 40) everthing else of VLAN are on Wifi (guest, hotspot, etc) a...
by pegasus123
Fri Feb 01, 2019 6:44 pm
Forum: General
Topic: Poor WiFi performance - hAP AC ^2
Replies: 6
Views: 1853

Re: Poor WiFi performance - hAP AC ^2

i can get my max isp speed 50mbps up/down on ac2 5ghz 80mhz on Samsung S8. 2ghz seems fine as well.
by pegasus123
Thu Jan 31, 2019 12:50 pm
Forum: General
Topic: hap lite, not enough disk space.
Replies: 8
Views: 4224

Re: hap lite, not enough disk space.

will netinstall help in this case?
by pegasus123
Thu Jan 31, 2019 12:48 pm
Forum: General
Topic: Tools firewall
Replies: 2
Views: 386

Re: Tools firewall

i think he wanted to see what firewall blocks his traffic.

if yes then just use the logging in the firewall rule then observe the traffic
by pegasus123
Thu Jan 31, 2019 11:52 am
Forum: General
Topic: Limit upload connection by SIZE.
Replies: 4
Views: 455

Re: Limit upload connection by SIZE.

connection works both ways, you cannot drop UPLOAD without basically dropping DOWNLOAD as well. You can limit upload by using mangle facility.
by pegasus123
Thu Jan 31, 2019 11:49 am
Forum: General
Topic: "Script error, no such item"
Replies: 0
Views: 388

"Script error, no such item"

Shoud i be concerned with this? I noticed this in log since it's RED and i dont have scheduler that are running at this time. How do i check this? I have checked scheduler and scripts. there were nothing there that can explain it. I added the script in logging to USB but doesn't tell me much https:/...
by pegasus123
Tue Jan 29, 2019 4:35 am
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 2030

Re: block inter VLAN traffic

That sounds silly JT. What are you trying to accomplish?? VLAN to VLAN traffic is blocked by default at layer 2. VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule. THe only thing the OP requires is an allow VLAN to WAN rule! Тhis is my answer for pegasus123 - its fir...
by pegasus123
Mon Jan 28, 2019 12:43 pm
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 2030

Re: block inter VLAN traffic

thanks for that have tried reading the firewall section of the wiki that just leaves me plenty confused
trust me, i'm no master in this area as well but tinkering with firewall when i bought mikrotik few months ago helped me a lot.

still a lot to learn
by pegasus123
Mon Jan 28, 2019 4:24 am
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 2030

Re: block inter VLAN traffic

Just drop it?

add action=drop chain=forward in-interface=vlan100 out-interface=vlan200
add action=drop chain=forward in-interface=vlan200 out-interface=vlan100
by pegasus123
Sun Jan 27, 2019 9:42 am
Forum: Beginner Basics
Topic: Queues oh the queues
Replies: 1
Views: 227

Re: Queues oh the queues

try limiting by vlan, bridge or by ip address whatever you use
by pegasus123
Sat Jan 26, 2019 6:11 am
Forum: General
Topic: OVPN connections and drop rules
Replies: 1
Views: 286

Re: OVPN connections and drop rules

The log doesnt actually say anything. besides there are many port scanners / telnet from the internet. You can try changing if you are using default port.

You can try logging your connection via input passthrough and try to debug whats happening.
by pegasus123
Sat Jan 26, 2019 5:49 am
Forum: Beginner Basics
Topic: Using RouterOS to prioritize (Qos) traffic for a Class C net
Replies: 111
Views: 186112

Re: Using RouterOS to prioritize (Qos) traffic for a Class C

is my understanding correct? Your understanding is correct in terms that the rule translating connection-mark into packet-mark may be there only once (as the last one after the two assigning the connection-mark ). Regarding the need for two rules assigning the connection-mark , it is a more complex...
by pegasus123
Fri Jan 25, 2019 2:29 pm
Forum: Beginner Basics
Topic: Block Password Error
Replies: 6
Views: 449

Re: Block Password Error

yeah i made correction
by pegasus123
Fri Jan 25, 2019 1:03 pm
Forum: Beginner Basics
Topic: Block Password Error
Replies: 6
Views: 449

Re: Block Password Error

I just tested with Winbox, Basically connecting 3 times in under 5 minutes to winbox like say "getting invalid password". The source IP will be blocked for a day. add action=drop chain=input comment="Drop input" dst-port=8291 protocol=tcp \ src-address-list=RETRY3 add action=add-src-to-address-list ...
by pegasus123
Fri Jan 25, 2019 12:27 pm
Forum: Beginner Basics
Topic: Using RouterOS to prioritize (Qos) traffic for a Class C net
Replies: 111
Views: 186112

Re: Using RouterOS to prioritize (Qos) traffic for a Class C

I'm a little curious why you have some rules twice /ip firewall mangle add chain=forward action=mark-connection protocol=udp   src-address=192.168.100.5 connection-state=new new-connection-mark="VOIP" comment="IP-PBX" add chain=forward action=mark-packet     passthrough=no connection-mark="VOIP"   ...
by pegasus123
Fri Jan 25, 2019 10:53 am
Forum: General
Topic: Hotspot on SD Card
Replies: 5
Views: 666

Re: Hotspot on SD Card

not sure whats going on with your setup but i just tried now i was able to repoint to an SDCARD using a test login page
by pegasus123
Fri Jan 25, 2019 4:40 am
Forum: General
Topic: New connection but not SYN
Replies: 8
Views: 550

Re: New connection but not SYN

This is normal "background traffic" - a client behind your router closed a connection to a server (FIN / RST) but the packet was lost in transit. The server has no idea the connection is closed, but because your router saw the outgoing FIN / RST, it removed the conntrack entry. So any packets comin...
by pegasus123
Thu Jan 24, 2019 5:21 pm
Forum: General
Topic: New connection but not SYN
Replies: 8
Views: 550

Re: New connection but not SYN

Thanks @AlainCasault @pe1chl ! I am learning so much here. i'll try fixing my firewall based from your inputs. Thanks for the help!
by pegasus123
Thu Jan 24, 2019 4:37 pm
Forum: General
Topic: New connection but not SYN
Replies: 8
Views: 550

Re: New connection but not SYN

Thanks! here's my firewall i'm not sure where in part i made a mistake. How do i prevent it? its consuming bandwidth /ip firewall filter add action=fasttrack-connection chain=forward comment="fasttrack LAN" \ in-interface-list=LAN log-prefix=FT out-interface-list=LAN add action=drop chain=forward co...
by pegasus123
Thu Jan 24, 2019 4:17 pm
Forum: General
Topic: New connection but not SYN
Replies: 8
Views: 550

New connection but not SYN

Hi maybe anyone understands this better. There are occassions i've been bombarded with ACK request but looks like a NEW connection, should be a SYN request. And it seems default firewall were not able to block it. I posted this a while back https://forum.mikrotik.com/viewtopic.php?f=2&t=143705&p=707...
by pegasus123
Tue Jan 22, 2019 6:06 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4392

Re: Mark the traffic for YouTube, Facebook, etc.

Okay so let me get this straight, A. Use script to catch UDP traffic going to those sites (create address list) B. Use my borrowed code with latest changes to catch TCP traffic going to those sites (create address list) C. All Jump to my last two rules which can be used to mangle address list traff...
by pegasus123
Tue Jan 22, 2019 3:31 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4392

Re: Mark the traffic for YouTube, Facebook, etc.

@anav, tls-host only works for TCP, you should use ivicask script to read googlevideo.com dns from catch and write it to address list
by pegasus123
Tue Jan 22, 2019 2:39 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4392

Re: Mark the traffic for YouTube, Facebook, etc.

yeah good stuff, i noticed that when you are using Mobile app, it uses UDP 443 instead of TCP.

For desktop, i believe that google QUIC protocol is disabled by default, hence should work with TCP. (in where tls-host only works)
by pegasus123
Tue Jan 22, 2019 2:32 pm
Forum: General
Topic: 6.43.8 vulnerability or hack?
Replies: 31
Views: 6710

Re: 6.43.8 vulnerability

well we know for a fact that in the previous version winbox has vulnerability. opening this to the world is like waiting for this to happen. What you said may or may not be true.

You should setup VPN instead like PPTP, OVPN. etc.much safer
by pegasus123
Tue Jan 22, 2019 1:59 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4392

Re: Mark the traffic for YouTube, Facebook, etc.

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from so...
by pegasus123
Tue Jan 22, 2019 12:34 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4392

Re: Mark the traffic for YouTube, Facebook, etc.

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from so...
by pegasus123
Tue Jan 22, 2019 11:00 am
Forum: General
Topic: Limit wireless bandwidth
Replies: 3
Views: 1406

Re: Limit wireless bandwidth

i think you should setup QOS rules for internet prioritization

https://wiki.mikrotik.com/wiki/Traffic_ ... lemetation
by pegasus123
Mon Jan 21, 2019 1:59 pm
Forum: General
Topic: Open vpn android
Replies: 2
Views: 401

Re: Open vpn android

if not done already you must use absolutepath for the following of your files like /sdcard/client.crt
by pegasus123
Mon Jan 21, 2019 12:53 pm
Forum: General
Topic: Mikrotik per user bandwidth volume consumption report
Replies: 13
Views: 994

Re: Mikrotik per user bandwidth volume consumption report

you can see his signature on his every post
by pegasus123
Mon Jan 21, 2019 7:35 am
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4392

Re: Mark the traffic for YouTube, Facebook, etc.

@anav, im not particularly sure on your setup because my network is simple. But i think you are in the right track. 1. You would need to pre-route mark (Mangle) any tls-host=*googlevideo.com so that you can process it in QUEUE. 2. Since you have mark in on prerouting table, you can create a rule goi...
by pegasus123
Mon Jan 21, 2019 7:32 am
Forum: General
Topic: Help with DNS, Allow Remote Requests and Firewall
Replies: 8
Views: 1048

Re: Help with DNS, Allow Remote Requests and Firewall

There are two ways i believe you can setup your DNS. In IP > DHCP Server > Networks -- DNS Servers 1. If you set the DNS to your local IP such as 192.168.1.1, then you would need to enable "Allow Remote requests" because you're router will now need to act as a DNS server. Hence it's also required th...
by pegasus123
Sat Jan 19, 2019 5:41 am
Forum: General
Topic: DNS Allow Remote Requests
Replies: 6
Views: 35010

Re: DNS Allow Remote Requests

you replied to a post from 2012
by pegasus123
Wed Jan 16, 2019 10:23 am
Forum: General
Topic: Hotspot on SD Card
Replies: 5
Views: 666

Re: Hotspot on SD Card

You are in the right direction, you must move the hotspot html pages to your sdcard, then change the Hotspot server profile to point to that new directory.
by pegasus123
Mon Jan 14, 2019 3:16 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4392

Re: Mark the traffic for YouTube, Facebook, etc.

in firewall mangle, i just use tls-host to detect if its *.googlevideo.com then write it to a address list, from then i can limit the speed. not sure for Facebook though. add action=add-dst-to-address-list address-list=YOUTUBE address-list-timeout=\ 12h chain=forward comment="add youtube to address ...
by pegasus123
Mon Jan 14, 2019 3:11 pm
Forum: General
Topic: SSH WAN port first time
Replies: 3
Views: 316

Re: SSH WAN port first time

you must allow the traffic to proceed. it should work
by pegasus123
Fri Jan 11, 2019 7:03 pm
Forum: General
Topic: How to mark http video streams with firewall mangle rules
Replies: 3
Views: 1004

Re: How to mark http video streams with firewall mangle rules

one way to match a https site is to read the SNI afaik. you can use tls-host. there were few examples in the forum as well.
by pegasus123
Tue Jan 08, 2019 4:13 am
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 582

Re: Receiving lots of ACK

Hi, probably you made yourself a loop in your network (check end-clients, especially switches,and wifi aps),
Thanks for the suggestion. i'm currently observing after i've check my config
by pegasus123
Mon Jan 07, 2019 12:47 pm
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 582

Re: Receiving lots of ACK

I didn't mean tot post your config here. If you have it, you could do a netinstall to the latest version, to make sure it's really back to normal code, and restore your config. You have the latest version (43,8) there most (all?) known sec issues have been fixed. It is possible that you got hached ...
by pegasus123
Mon Jan 07, 2019 11:51 am
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 582

Re: Receiving lots of ACK

deleted
by pegasus123
Mon Jan 07, 2019 11:22 am
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 582

Re: Receiving lots of ACK

Whois says: inetnum: 124.104.0.0 - 124.107.255.255 netname: IPG descr: IPG descr: Philippine Long Distance Telephone Company country: PH tech-c: JG149-AP tech-c: NT80-AP admin-c: RR5-AP mnt-by: APNIC-HM mnt-lower: PHIX-NOC-AP status: ALLOCATED PORTABLE remarks: -------------------------------------...
by pegasus123
Mon Jan 07, 2019 11:09 am
Forum: General
Topic: What outbound connection does the Router does besides DNS?
Replies: 1
Views: 246

What outbound connection does the Router does besides DNS?

Hello All, As the title, would you be able to tell me what outbound connections would mikrotik does? as fas as i know, i expect DNS (UDP 53), DHCP to ISP. I'm actually not expecting port 80. I'm trying to account what this outbound to port 80 does. I'm not running any upgrade package or anything lik...
by pegasus123
Mon Jan 07, 2019 8:27 am
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 582

Receiving lots of ACK

Hello, Anyone can tell me what's going on with these? I've recieving lots of ACK sure sure whats going on. I have logged the outbound but seems there is no outbound requests when this happens. my IP is 119.94.xxx.xxx Initially, i have set input filter establish, related session, now i limit it to UD...
by pegasus123
Sat Sep 29, 2018 7:20 am
Forum: Beginner Basics
Topic: Hotspot trial user (T-MAC) persists on reboot?
Replies: 0
Views: 274

Hotspot trial user (T-MAC) persists on reboot?

As per subject anyway I can make the T-MAC trial user data to persists on reboot?
by pegasus123
Fri Sep 28, 2018 1:05 pm
Forum: Scripting
Topic: Change Trial Mac username from Dynamic to Static
Replies: 0
Views: 347

Change Trial Mac username from Dynamic to Static

Hello, is there any way to convert the T-MAC to static? how can i change this using command? The reason is because the everytime the router reboots, the T-MAC gets lost, i want the trial username to persist every reboot. Thanks [admin@MikroTik] > ip hotspot user print where name~"^T-" Flags: * - def...
by pegasus123
Tue Aug 21, 2018 7:36 am
Forum: Beginner Basics
Topic: Access Port VLAN Setup Post 6.41
Replies: 5
Views: 528

Re: Access Port VLAN Setup Post 6.41

Sorry to hijack this post, CZfan can you also point me to any tutorial to creating 2 vlans on 1 bridge?

I want to make the ether2 on 1 vlan which will a dumb switch will be plugged in and the rest of the mikrotik ports will be on the 2nd vlan. Thnx
by pegasus123
Tue Aug 07, 2018 2:55 pm
Forum: General
Topic: Hardware Offload
Replies: 3
Views: 4466

Re: Hardware Offload

thats too bad. what i did is i just setup a new bridge for the 2nd network. I just wonder if performance of file transfer can be improve.

This is also not possible by doing VLANs on bridge 1?
by pegasus123
Tue Aug 07, 2018 2:41 pm
Forum: General
Topic: Hardware Offload
Replies: 3
Views: 4466

Hardware Offload

Hello All, I just bought my first Mikrotik and i'm learning a lot. I have a question though with regards to HW offload, i just read that it allows to use switch chip instead of CPU. Now my question is, I have 2 networks bridge1 and bridge3_lan and from below, you can see that the HW offload is disab...