MikroTik

611

Looks like interface list includes don't work beyond the first level of nesting: "interface list 2 -> interface list 1 -> interface" works, but "interface list 3 -> interface list 2 -> interface list 1 -> interface" doesnt. This configuration: /interface list add name=il-test1 /i...

611

It's 2023 and ROS v7.9, the same thing, still undocumented. I've resorted to just resetting the routing mark as the first rule in mangle output chain: /ip firewall mangle add chain=output action=mark-connection connection-state=new,untracked ipsec-policy=out,ipsec new-connection-mark=no-mark passthr...

611

the correct syntax is "find where" While it looks more in line with "print where" this way, both docs page on scripting and /export command use "[find property=value]" without "where". Terminal autocomplete suggests that "where" is optional for &quo...

611

You broke a simple law of almost all programming languages: don't use reserved words as a variable name... Sure. The problem is DHCP client supplies interface name to the script as variable named "interface" (unlike DHCP server that uses "bindingVariableName" variables). Had to ...

611

A follow-up as I've ran into similar issue, but the cause was not apparent from this thread. :local interface "some-interface" :put [/ip dhcp-client get [find interface=$interface] primary-dns] Results in "invalid internal item number". :put [/ip dhcp-client get [find interface=&...

611

Just in case you're curous of what's inside country-info DB: :global formatFreqRange do= { :if ( [:find $range "turbo"] < 0 && [:len $range] > 0) do={ :local startfreq ([:pick $range 0 [:find $range "-"]]); :local endfreq ([:pick $range ([:find $range "-"]+1) [:...

611

I've tried similar approach with handcrafted config files and comparison, and crafted a Python script to compare actual config to one I'd want: # RouterOS config file parser/sorter/comparer ver.0 # by 611 import sys import re # My preferred order of parameter sorting # Firtsparams will go first in t...

611

Same to me - looks like "issued" and "revoked" flags, along with CA attribute of the certificates are local - they are not exported and absent on imported ones. Not a major problem for me as mu use case is simple: I'm pinning specific certificates for all connections I'm using an...

611

It happened that I had ran my CA for IPsec purposes on one of my MT routers (yes, I know), and as the device in question was due to be upgraded, I've decided to move the CA to a back-end device. From my previous experience I knew that configuration backup/restore functions in ROS also backing up/res...

611

I have two very different cases where I need to generate some traffic to keep the link loaded, and would like to hear your opinion on available options: 1. Site-to-site IPsec connection over 1Gb/s link plus some paranoia. I'd like approx. 150Mbit/s each way to obscure the traffic patterns of the rea...

611

The packet may return, it's called "loop" :) Normally you shouldn't see neither packets with external addresses (one external is ok is you're routing some external traffic through another node, but not both src and dest) nor ipencap (4) protocol _inside_ your internal tunnel, still you hav...

611

As far as I've understood you, I've got the same config (for the same purposes). If your interface list ipip1 contains your ipip tunnels, by adding such drop rule in prerouting chain you're just filtering traffic _inside_ your tunnels, and you have no way to know if the tunnel itself was encrypted i...

611

The point is that the Mikrotik tutorial and the NordVPN tutorial are both missing this information: https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS https://nordvpn.com/de/tutorials/mikrotik/ikev2/ That's why my expectation is that the VPN tunnel configuration does not add any ...

611

I'm not affiliated with MT :) "DNS leak" in VPN scenario usually denotes "resolving names through DNS server other than VPN provider's". If you'll route traffic from a "client group" (identified with network addresses, ports, L7 patterns used, whatever) to a VPN, but do...

611

All logging actions with destination pointing to an USB disk are lost after reboot on latest beta (6.46beta59): /system logging export pre-reboot: # nov/03/2019 11:43:17 by RouterOS 6.46beta59 # software id = [redacted] # # model = RouterBOARD 3011UiAS # serial number = [redacted] /system logging ac...

611

The support have refused to provide me a new key for unbricked device, citing it has the same serial as fullflash donor. (Thanks, Captain Obvious!)

That's haven't been unexpected, to be true.

So I have to dig deeper

I'll keep this thread updated should I get any results.

611

I've finally got to this issue, desoldered SPI flash and found it to be completely empty. No boot block, no config block, nothing. Just 16Mb of 0xFF. So I can confirm that hard resettng hAP ac twice causes complete flash erasure. I've debricked the router by flashing a dump from another hAP ac into ...

611

Fixed in 6.45.1 stable.

611

Yes exactly, I also tested if the traffic is really isolated, but so far no issues with this kind of configuration. From my point of view, this was the simplest and most direct type of configuration. Looks like I was missing a critical part of knowledge to implement it this way. And it's actually s...

611

Tobias, if your config work on beta64? No hw offload on the second bridge is not a problem because it won't have any meaningful hw offload as it includes only wireless interfaces and VLAN on master bridge - it goes through CPU anyway. Moreover, you'll need this separate bridge if you want to connect...

611

It took a bit longer, still here it is. Relevant portion of config: # model = RBD52G-5HacD2HnD /interface ethernet set [ find default-name=ether1 ] name=ether1-company set [ find default-name=ether2 ] name=ether2-extra set [ find default-name=ether3 ] name=ether3-laptop set [ find default-name=ether...

611

Does anyone knows where to find this setting? I am looking for it for years now. *) winbox - do not allow setting "dns-lookup-interval" to "0"; Update: Found it on a Polish site and it a setting not applying to what I was looking for. It was a very "funny" bug actually...

611

Confirmed working with 6.45beta54.

Phase2 rekeying doesn't work, but increasing SA lifetime to 365 days in the proposal could be used as a workaround.

611

I'm using hap ac2 with its switch configured as follows: VLANs are configured in switch; all external Ethernet ports are access (untagged) ports with corresponding VLANs; CPU port is a trunk (tagged) port; all external Ethernet ports are added to master bridge in router; corresponding VLANs on maste...

611

Looks like power cycling the router after 300s format had bricked it. And this SFP LED steady on for first 300s / blinking for second 300s makes me think it erased primary bootloader first, than backup bootloader. I always disable all other adapters and when running netinstall or similar utilities (...

611

I've got several RB962, and each time I need to netinstall one there was some kind of problem - it won't netinstall like other MT devices. If I remember correctly, the last time problem was solved with failsafe format (supply power while keeping reset pressed, hold reset for 300+ seconds), then it n...

611

IKEv2 from NordVPN should work with latest testing releases, where support for EAP authentication methods was added. See this post for details: https://forum.mikrotik.com/viewtopic.php?f=2&t=126221#p731754 Confirmed working with 6.45beta54. You may create identity with GUI (you'll need to selec...

611

I've got a reply from support, problem confirmed: I have managed to reproduce your problem and at the moment it indeed seems to be software related bug which does not comply with loose rp-filter implementation. However, this parameter functionality in RouterOS works based on Linux Kernel. We will tr...

611

@611: You can mention to support, that the thing you desperately need is conditional DNS forwarding . And that it's really important, the proof of that being the thing you're trying to do now. Maybe you don't mind, but regular people should not be forced to such desperate measures. It's not just on...

611

I haven't done any actual testing, but most likely issue is with connection tracking way to classify traffic, i had similar setup, where traffic was traversing router twice, connection tracking was unable to classify it for some reason. Trying to assign traffic to same conntrack entry so rp-fiter b...

611

I'm sorry, but i still do not understand - WHY you need this? I do not know your background, but this is first time i heard about this "know solution of Mangling loopback".. so please explain functionality that you are trying to achieve 1. I need conditional DNS (like "*.domain1"...

611

An update: Looks like the "mangling loopback" setup was failing to work on my production RB3011 (running the same 6.44.3) for the same RP filter reason. But unlike the test setup, I had to reboot router after switching RP filter off to get it working. Maybe it's due to existing load, which...

611

I've been testing "mangling loopback" (known workaround for dstnat not available in output chain + no cDNS + no non-standard winbox port in Dude in ROS v6) configuration on a metarouter (as I wanted a config as generic as possible). Metarouter is running on RB2011, ROS 6.44.3. The config i...

611

Nope to both (moreover, non-accelerated AES on OVPN will be slow). Since NordVPN has deprecated L2TP/IPsec in late 2018 (for some obscure reasons), ROS is no longer able to connect to NordVPN. I've replaced my CHR with OPNsense because of that, and currently using OVPN from it. Runs well, including ...

611

I'm running beta branch of v6 ROS on RB3011 (and other arm and mipsbe routers, on which I haven't observed the following failure). After an upgrade (I assume to 45beta19, but I'm not sure) a couple of weeks ago all IKE2 links went down, and I was unable to establish L2TP/IPsec connection to router (...

611

I've done some further testing - modified firewall rules to catch all packets fallen off the VLAN to the master bridge. Total seepage is about 0.1% of all packets. The good news - I've been unable to reproduce the issue in a controlled environment like this: The testbed: [MT, 10.50.0.2>] <-Ether-> [...

611

Looks like I have the same or related issue with RB3011: some packets are seemingly coming untagged from an access port, this results in input from the master bridge instead of configured VLAN. I have switch and interface setup as described in https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switchi...

Search found 37 matches

Interface list include nesting limit

Re: Routing table ignoring routing mark

Re: invalid internal item number [SOLVED]

Re: invalid internal item number [SOLVED]

Re: invalid internal item number [SOLVED]

A script to dump country-info in spreadsheet-friendly format

Re: Comparing config files

Re: Backing up certificates

Backing up certificates

Robust 24/7 traffic generation

Re: IPSEC+tunnel packet flow

Re: IPSEC+tunnel packet flow

Re: NordVPN IKEv2 EAP VPN tunnel: DNS leak

Re: NordVPN IKEv2 EAP VPN tunnel: DNS leak

Logging Actions to an USB disk are lost after reboot

Re: hAP ac bricked

Re: hAP ac bricked

Re: Switch issues in 6.45beta62 (but not in beta54) [SOLVED]

Re: Switch issues in 6.45beta62 (but not in beta54) [SOLVED]

Re: Switch issues in 6.45beta62 (but not in beta54) [SOLVED]

Re: Switch issues in 6.45beta62 (but not in beta54) [SOLVED]

Re: v6.45beta [testing] is released!

Re: NordVPN

Switch issues in 6.45beta62 (but not in beta54) [SOLVED]

Re: hAP ac bricked

hAP ac bricked

Re: NordVPN

Re: Strange RP filter behavior

Re: Strange RP filter behavior

Re: Strange RP filter behavior

Re: Strange RP filter behavior

Re: Strange RP filter behavior

Strange RP filter behavior

Re: NordVPN

IPsec configuration storage(?) failure after upgrade (to 45beta19?) on RB3011

Re: RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue