Community discussions

Search found 215 matches

by karlisi
Fri May 24, 2019 10:04 am
Forum: Beginner Basics
Topic: Ban IP's / Drop connections of RDP Brute forcers
Replies: 4
Views: 179

Re: Ban IP's / Drop connections of RDP Brute forcers

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain. In simple english, why drop is in input chain, not in raw? Perhaps linked wiki is intended to show the principle, not working configuration. You never know what other firewall rules are ...
by karlisi
Fri May 17, 2019 8:26 am
Forum: Wireless Networking
Topic: CAPsMAN channel selection
Replies: 6
Views: 393

Re: CAPsMAN channel selection

It's OK if these CAPs are far away one from other. You can reduce reselect interval to force CAPs to check more often for less busy frequency.
by karlisi
Mon Apr 29, 2019 3:27 pm
Forum: General
Topic: Ipsec error in Log [SOLVED]
Replies: 4
Views: 205

Re: Ipsec error in Log [SOLVED]

i don't use IPSEC at all how can i disable it?
Review firewall input chain, perhaps you have unnecessary ports or protocols open. Best practice is to close all, except only those you are using.
by karlisi
Mon Apr 29, 2019 1:32 pm
Forum: General
Topic: Ipsec error in Log [SOLVED]
Replies: 4
Views: 205

Re: Ipsec error in Log [SOLVED]

Also what is the TCP connection established towards my router? These are connections to your PPTP server. 'TCP connection established' not necessarily means someone was able to get in, it means someone established connection and was able to begin the authentication process. The same for ipsec error...
by karlisi
Tue Apr 23, 2019 11:03 am
Forum: General
Topic: POE Out [SOLVED]
Replies: 4
Views: 191

Re: POE Out [SOLVED]

Typical RB951 power consumption is about 0.13A on startup and about 0.1A when running. If this is 24V 0.8A power adapter then yes, you can, because both RBs will use 0.26A max.
by karlisi
Mon Apr 15, 2019 5:46 pm
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 429

Re: L2TP with RADIUS

Try to use simpler RADIUS configuration
/radius
add address=192.168.7.70 secret=AgileroSecret123 service=ppp src-address=192.168.7.1

I can't ping my AD Server (192.168.7.70) using udp 1812/1813

You tried this from Mikrotik?
by karlisi
Fri Apr 12, 2019 10:22 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 429

Re: L2TP with RADIUS

If L2TP client is Windows, run this command in Windows administrative command window (cmd -> run as administrator), then restart Windows:
reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
by karlisi
Wed Apr 10, 2019 11:48 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 429

Re: L2TP with RADIUS

Unable to access LAN from VPN client
viewtopic.php?t=85962
by karlisi
Wed Apr 10, 2019 11:44 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 429

Re: L2TP with RADIUS

For Mikrotik and Windows AD integration I used this tutorial
https://mivilisnet.wordpress.com/2018/1 ... indows-ad/
by karlisi
Mon Mar 04, 2019 10:02 am
Forum: Wireless Networking
Topic: CAPSMAN - Upgrade Policy - Require same version - should always work - suggestion
Replies: 3
Views: 289

Re: CAPSMAN - Upgrade Policy - Require same version - should always work - suggestion

You can download and upload the latest release of RouterOS in the files section of your CHR then point cAPs via CAPsMAN to pickup the latest ROS from there and update. Could be MIPSBE or any other. There is one problem. You should first upgrade the CAPsMAN, and after that upload files for other pla...
by karlisi
Mon Feb 25, 2019 4:32 pm
Forum: General
Topic: Upgrade fails if .npk for other platforms are present
Replies: 0
Views: 377

Upgrade fails if .npk for other platforms are present

If I remember correctly, some time ago it was possible to upload to CAPsMAN router all needed packages for APs and router itself. After restart router was upgraded and all APs too, if "suggest same version" upgrade policy was enabled. Now, if there are additional .npk files uploaded RouterOS upgrade...
by karlisi
Thu Feb 21, 2019 4:28 pm
Forum: Wireless Networking
Topic: Identify which CAPsMAN interface belongs to which AP [SOLVED]
Replies: 2
Views: 225

Re: Identify which CAPsMAN interface belongs to which AP [SOLVED]

/caps-man provisioning add name-format=identity
by karlisi
Fri Feb 15, 2019 1:11 pm
Forum: Scripting
Topic: Contribute backup script to FTP [SOLVED]
Replies: 2
Views: 265

Re: Contribute backup script to FTP [SOLVED]

Sometimes it's good to have configuration export too:
/system backup save name=$filename password=xxxxx
:delay 3s
/export file=$filename
by karlisi
Mon Feb 11, 2019 10:52 am
Forum: RouterBOARD hardware
Topic: Mikrotik Poe Cascading
Replies: 6
Views: 469

Re: Mikrotik Poe Cascading

We have in some sites RB260GSP -> RB951Ui-2HnD -> RB951Ui-2HnD chained, somewhere 2 chains on one switch, without problems for more than 3 years. From my experience RB951 power consumption is about 130mA on boot, about 95mA when booted, so theoretically we can put such chains on all 4 outputs.
by karlisi
Fri Feb 08, 2019 2:54 pm
Forum: Beginner Basics
Topic: Cloud Router Switch administration [SOLVED]
Replies: 11
Views: 560

Re: Cloud Router Switch administration [SOLVED]

Use one of combo ports for connection to PC.
Do You see device in Winbox? Try to connect using MAC address.
https://i.mt.lv/cdn/rb_files/1539897967 ... lus-qg.pdf
by karlisi
Fri Feb 01, 2019 2:34 pm
Forum: General
Topic: Winbox Urgent Suggestion
Replies: 15
Views: 898

Re: Winbox Urgent Suggestion

i have the right to use a winbox version that is compatible with my OS
As the Winbox name suggests, it's a Windows Box.
by karlisi
Thu Jan 10, 2019 10:04 am
Forum: Beginner Basics
Topic: Noob firewall question - being brute forced
Replies: 7
Views: 391

Re: Noob firewall question - being brute forced

If I understand correctly these could be commands I'd need to use after adding all WAN addresses to a custom contacts list MyContactList?(I replaced RDP /w TCP as per @mkx comment and used 8.8.8.8 as server IP for this example) Do I need to use the WinBox software to execute this or can I do it fro...
by karlisi
Fri Dec 28, 2018 3:47 pm
Forum: RouterBOARD hardware
Topic: RB750 Aluminum Electrolytic Capacitor SMD need replacement
Replies: 3
Views: 501

Re: RB750 Aluminum Electrolytic Capacitor SMD need replacement

If there is j not capital J after 330, then it is 330uF 6.3V 105*C
by karlisi
Thu Dec 20, 2018 4:31 pm
Forum: Beginner Basics
Topic: Strange UDP Packet to 81.198.87.240 [SOLVED]
Replies: 1
Views: 275

Re: Strange UDP Packet to 81.198.87.240 [SOLVED]

# nslookup cloud.mikrotik.com
Name: cloud.mikrotik.com
Address: 81.198.87.240
by karlisi
Fri Dec 14, 2018 10:19 am
Forum: RouterOS v7
Topic: Feature request: CAPsManager - roaming
Replies: 75
Views: 20305

Re: Feature request: CAPsManager - roaming

The project requirements for WiFi4EU are:
(..)
support IEEE 802.11r
(..)
But unfortunately Microtik does not meet the requirements.
We also wanted to participate in this project to extend our infrastructure. It seems, EU money will go to another company. Perhaps Mikrotik don't need this money?
by karlisi
Thu Dec 13, 2018 9:46 am
Forum: Wireless Networking
Topic: cAP ac: Alternative brackets
Replies: 4
Views: 518

Re: cAP ac: Alternative brackets

Can you clarify about the cable not bending enough to fit into the wall? I just don't see the issue. Subject: 19.0 What is the Minimum Bending Radius for a Cable? According to EIA SP-2840A (a draft version of EIA-568-x) the minimum bend radius for UTP is 4 x cable outside diameter, about one inch. ...
by karlisi
Tue Dec 11, 2018 2:05 pm
Forum: Beginner Basics
Topic: Router Optimization
Replies: 7
Views: 613

Re: Router Optimization

I hope you have also some rules to protect the router from attacks, not only those shown, and your router isn't transferring any malicious traffic too. IMHO it's enough to have 1 rule instead of 3 in forward chain, not needed to specify ports /ip firewall filter add action=fasttrack-connection chain...
by karlisi
Tue Dec 04, 2018 10:28 am
Forum: General
Topic: Tls host not work
Replies: 3
Views: 776

Re: Tls host not work

It works, at least on 6.42.10
You should remove port, leaving only tls-host. And this rule must be before 'accept established, related' rule.
by karlisi
Thu Nov 22, 2018 10:40 am
Forum: General
Topic: don´t upgrade last version MKT1100AHx2
Replies: 1
Views: 172

Re: don´t upgrade last version MKT1100AHx2

What's in the log?
by karlisi
Tue Nov 20, 2018 2:00 pm
Forum: Beginner Basics
Topic: MIkrotik backup script
Replies: 4
Views: 438

Re: MIkrotik backup script

I would have added Year :)
It wasn't in OP requirements ;)
by karlisi
Tue Nov 20, 2018 10:10 am
Forum: Beginner Basics
Topic: MIkrotik backup script
Replies: 4
Views: 438

Re: MIkrotik backup script

Something like this? :local filename; :local date [/system clock get date]; :local name [/system identity get name]; :local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local varMonth [:pick $date 0 3]; :set varMonth ([ :find $months $varMonth -1 ] + 1); :if ($v...
by karlisi
Wed Nov 07, 2018 4:42 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 16
Views: 941

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

Not related to VPN problems, but /ip firewall rules are not in optimal order. In input chain put allow established, related rules on top.
by karlisi
Wed Nov 07, 2018 4:36 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 16
Views: 941

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

Try this
/ppp profile
add dns-server=192.168.90.254 local-address=192.168.90.254 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
by karlisi
Wed Nov 07, 2018 3:45 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 16
Views: 941

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

It's very hard to guess what is wrong only from video and screens. Can You post output from /export hide-sensitive ?
by karlisi
Tue Nov 06, 2018 10:01 am
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 1002

Re: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

I don't think they overlap and I would implement Dude, Splunk and, in place of Cacti, Zabbix.
Dude for management and very basic monitoring but it can do more.
Splunk (I am using it's alternative Graylog) for log collecting, log analyzing and alerting.
Zabbix for monitoring, graphing and alerting.
by karlisi
Thu Oct 25, 2018 4:39 pm
Forum: General
Topic: Redirect request by source IP in a scenario with Server Microsoft (DC)
Replies: 3
Views: 258

Re: Redirect request by source IP in a scenario with Server Microsoft (DC)

For domain-joined workstations it is mandatory to have AD aware DNS servers configured. If You will configure DNS server on them, which knows nothing about AD, it will break domain authentication.
by karlisi
Wed Oct 24, 2018 10:30 am
Forum: Beginner Basics
Topic: Mikrotik as a switch with wifi
Replies: 8
Views: 819

Re: Mikrotik as a switch with wifi

Try this
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n frequency=2422 name=wlan2.4 \
ssid=NETGEAR48 mode=station-pseudobridge
by karlisi
Thu Sep 20, 2018 2:34 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67894

Re: Winbox vulnerability: please upgrade

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
Everything outside default protection rules. It should be only warning, nothing else.
by karlisi
Thu Sep 20, 2018 12:41 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 67894

Re: Winbox vulnerability: please upgrade

In some cases Windows 10 forces user to restart computer not letting to do anything else. It's almost the same, except if user wants to sit and look at smth like "You must restart Your computer to finish important update" forever. It's offtopic, imho. Mikrotik should not change upgrade to automatic ...
by karlisi
Fri Sep 14, 2018 12:14 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: NAT Setup: Access from internal network is OK, but from internet show mikrotik login page
Replies: 1
Views: 359

Re: NAT Setup: Access from internal network is OK, but from internet show mikrotik login page

First, it's not good to open all webserver's ports to whole world. dst-nat rules should be something like this chain=dstnat action=dst-nat to-addresses=192.168.89.254 to-ports=443 protocol=tcp dst-address=2.184.70.46 dst-port=443 log=no chain=dstnat action=dst-nat to-addresses=192.168.89.254 to-port...
by karlisi
Wed Aug 29, 2018 10:57 am
Forum: Wireless Networking
Topic: CAPsMAN - can't get 5GHz band on wAP ac to work [SOLVED]
Replies: 14
Views: 1367

Re: CAPsMAN - can't get 5GHz band on wAP ac to work [SOLVED]

See the CAPsMAN configuration below. The wAP ac has only ever been configured as CAP using the button. To me the configuration looks fine, and I'm not seeing any errors (such as "no supported channel"). But I'm new to CAPsMAN, probably I'm missing something obvious? [admin@MikroTik] /caps-man chann...
by karlisi
Tue Jul 31, 2018 3:10 pm
Forum: General
Topic: MT Forum problems (posting/upload)
Replies: 4
Views: 494

Re: MT Forum problems (posting/upload)

After posting, a white screen is shown instead of the usual next screen.
However, the posting appears when reloading the forum.
It's fixed, nice
by karlisi
Tue Jul 31, 2018 9:53 am
Forum: Beginner Basics
Topic: Troublesome Firewall rule (NAT?)
Replies: 6
Views: 583

Re: Troublesome Firewall rule (NAT?)

Perhaps it's a typo, in text you have 10.0.0.155, in NAT rule IP is 10.0.0.55 Remove from NAT rule src-port=8082 and add in-interface=your-wan-interface (or dst-address=your-wan-ip) to it. And, you don't need this firewall rule, except, if you are blocking all tcp ports in forward chain (unlikely). ...
by karlisi
Mon Jul 30, 2018 10:48 am
Forum: General
Topic: problem accessing the mikrotik VM
Replies: 1
Views: 165

Re: problem accessing the mikrotik VM

You can log in from VM management.
BTW version 6.38.3 is vulnerable to at least 2 threats, consider to upgrade, more on https://blog.mikrotik.com/security/
by karlisi
Mon Jul 16, 2018 11:44 am
Forum: General
Topic: How do i access mikrotik, i forwarded the only service port (winbox) to an nother ip by accident [SOLVED]
Replies: 3
Views: 285

Re: How do i access mikrotik, i forwarded the only service port (winbox) to an nother ip by accident [SOLVED]

If You can access router physically and know IP address from which it is accessible, connect it directly to Your computer, set on computer this (wrong) IP address and that's all. If not, ask ISP, sorry.
by karlisi
Fri Jul 13, 2018 3:28 pm
Forum: General
Topic: Automatically upgrade CAPs MIPSBE over CAPsMAN ARM
Replies: 2
Views: 508

Re: Automatically upgrade CAPs MIPSBE over CAPsMAN ARM

Upload mipsbe package to RB3011.
Configure CAPsMAN accordingly (change path if needed)
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
That's all. The upgrade process will start immediatelly, all CAPs will restart as a result.
by karlisi
Wed Jul 11, 2018 8:45 am
Forum: Beginner Basics
Topic: Connecting routers through POE ports
Replies: 4
Views: 556

Re: Connecting routers through POE ports

Seems like it's quite possible to have two units daisy-chained (even using PoE injector), but not more. I can confirm this, we have daisy chained two RB951Ui-2HnD and two hAP in many places. On startup they are consuming from power unit about 150mA each, so, perhaps 3 units chained are acceptable, ...
by karlisi
Wed Jul 11, 2018 8:22 am
Forum: General
Topic: PPTP question [SOLVED]
Replies: 3
Views: 407

Re: PPTP question [SOLVED]

It means someone trying to get in. These messages are written for every attempt, successful or unsuccessful. For unsuccessful authentication typically there are no additional messages (default configuration). If authentication was successful, there should be message like 'username logged in'.
by karlisi
Tue Jul 10, 2018 10:51 am
Forum: Beginner Basics
Topic: How specific do you make your FW rules?
Replies: 4
Views: 500

Re: How specific do you make your FW rules?

I have from 9 to 60 rules on different sites, it depends. 30 rules for 2 WANs is not so much, I think.
by karlisi
Fri Jul 06, 2018 2:42 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 23433

Re: Winbox v3.16 released!

Hello everybody,
Faton
Start new topic, please! This is for problems with Winbox v3.16 only!
by karlisi
Wed Jul 04, 2018 10:32 am
Forum: Wireless Networking
Topic: CAPsMAN very bad performance
Replies: 2
Views: 908

Re: CAPsMAN very bad performance

Try a different channel.
Or better, let the CAP choose the channel and to avoid conflicts with other devices set reselect channel every 1 minute
/caps-man channel
add band=2ghz-g/n reselect-interval=1m name="ch 2"