Community discussions

MikroTik App

Search found 330 matches

  • 1
  • 2
by karlisi
Wed Oct 07, 2020 9:42 am
Forum: General
Topic: DDoS detection and blocking [SOLVED]
Replies: 8
Views: 476

Re: DDoS detection and blocking [SOLVED]

That article is almost 10 years old, please use current version
https://help.mikrotik.com/docs/display/ ... Protection
by karlisi
Mon Sep 28, 2020 10:13 am
Forum: General
Topic: CAPsMAN upgrade doubts
Replies: 6
Views: 419

Re: CAPsMAN upgrade doubts

... CAPs Manager (ARM based hAP ac2 in long-term v6.45.9) and a CAP Slave (MIPSBE mAP Lite 2nD in stable v6.46.6) ... and the upgrade policy to suggest same version. All works as expected, on client there is newer version as on manager, it's why nothing happens. You can do as @mkx suggests, in fact...
by karlisi
Thu Sep 17, 2020 9:49 am
Forum: Beginner Basics
Topic: Forward chain ipsec rule placement
Replies: 2
Views: 139

Re: Forward chain ipsec rule placement

Ipsec rules should be before fasttrack rule, to exclude ipsec traffic from fasttrack. And fasttrack should be before accept established, related, untracked to work properly.
by karlisi
Mon Sep 14, 2020 10:52 am
Forum: Announcements
Topic: v6.46.7 [long-term] is released!
Replies: 43
Views: 9406

Re: v6.46.7 [long-term] is released!

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge. We already had discussion about that without results https://forum.mikrotik.com/viewtopic.php?f=21&t=150...
by karlisi
Thu Sep 03, 2020 10:28 am
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 70
Views: 9169

Re: WinBox v3.27 released!

RB2011 ROS 6.45.9 (long-term), no problems with NAT rules.
by karlisi
Wed Sep 02, 2020 4:42 pm
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 70
Views: 9169

Re: WinBox v3.27 released!

Wow, that was fast! Thank you!
by karlisi
Tue Sep 01, 2020 3:02 pm
Forum: Announcements
Topic: WinBox v3.25 released!
Replies: 68
Views: 5990

Re: WinBox v3.25 released!

Or atleast there should be some warning regarding this, when it encounters unsupported (anymore) ROS versions instead of the current unfortunate behaviour. ROS 6.45.9 is supported, this is the latest long-term version. So, while we are waiting for backporting something (we don't know what) from sta...
by karlisi
Tue Sep 01, 2020 1:12 pm
Forum: Announcements
Topic: WinBox v3.25 released!
Replies: 68
Views: 5990

Re: WinBox v3.25 released!

IMHO You shold fix WinBox not ROS ASAP as upgrade to ROS > 6.47 is not always possible
And remove Winbox 3.25 from downloads and upgrade ASAP.
by karlisi
Tue Sep 01, 2020 8:49 am
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 83
Views: 63867

Re: v6.45.9 [long-term] is released!

Installed on a number of units to notice that the Hotspot Host table is now empty. It appear the Hotspot is still working as clients are able to connect and logon and then appear in the active table. Seen this on all platforms. Also same issue is present in v6.47.2 Is it just me or is anyone else s...
by karlisi
Tue Sep 01, 2020 8:44 am
Forum: RouterBOARD hardware
Topic: CAPSMAN Manager For Medium to Big deployment
Replies: 4
Views: 377

Re: CAPSMAN Manager For Medium to Big deployment

CCR2004-1G-12S+2XS https://mikrotik.com/product/ccr2004_1g_12s_2xs I have deployed similar medium sized systems using RB4011 and CRS328's. The RB4011 is connected by SFP+ and handles all the CAPSMAN traffic in non-local-forward mode. The benefit of this is all the radios are ports on one common bri...
by karlisi
Tue Sep 01, 2020 8:35 am
Forum: Announcements
Topic: WinBox v3.25 released!
Replies: 68
Views: 5990

Re: WinBox v3.25 released!

You can say that this version has a killer feature. Open CAPsMAN, click on "Radio" tab and watch all your CAPs disconnect. Also keeping that tab open will not let any CAP connect back. "failed to connect, timeout". LE: they do come back eventualy but nothing shows up on the Radio tab though. Not fu...
by karlisi
Fri Aug 28, 2020 11:21 am
Forum: Beginner Basics
Topic: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network
Replies: 8
Views: 694

Re: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network

And don't compare router with phone, they are using different frequencies, so there can be different load on tower. Would be interesting to see the same RSRP, RSRQ and SINR from Huawei router.
by karlisi
Fri Aug 28, 2020 11:15 am
Forum: Beginner Basics
Topic: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network
Replies: 8
Views: 694

Re: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network

How are your signal levels (RSRP, RSRQ, etc.)

Regards.
RSRP: -106 dBm
RsRQ: -13.0 dB
SINR 7dB ( changing in limits from 5 to 10 )
Very poor signal, according to this
https://wiki.teltonika-networks.com/vie ... _.28LTE.29
by karlisi
Fri Aug 21, 2020 1:19 pm
Forum: General
Topic: I can't see traffic on the NAT, it uses the main bridge
Replies: 6
Views: 828

Re: I can't see traffic on the NAT, it uses the main bridge

You want to restrict access from bridge-public to bridge by this rule? add action=src-nat chain=srcnat dst-address=!192.168.88.0/24 \ out-interface-list=WAN src-address=10.0.0.0/22 to-addresses=\ 192.168.88.250 IMHO, this will not work, requests to 192.168.88.0/24 misses this rule and will be routed...
by karlisi
Thu Aug 20, 2020 10:07 am
Forum: Beginner Basics
Topic: Точка - многоточка
Replies: 9
Views: 550

Re: Точка - многоточка

Yes, RB711-5HnD comes with L4 (AP) license.
https://mikrotik.com/product/RB711GA-5HnD
by karlisi
Mon Aug 17, 2020 5:13 pm
Forum: Beginner Basics
Topic: Transfer configuration between identical hardware [SOLVED]
Replies: 4
Views: 982

Re: Transfer configuration between identical hardware [SOLVED]

And yes, you should remove unwanted MAC addresses from exported configuration.
by karlisi
Mon Aug 17, 2020 1:09 pm
Forum: Beginner Basics
Topic: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?
Replies: 27
Views: 4723

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

You can use 'verbose' switch on import, sometimes output to screen helps to spot the problem, because you will see exactly where the script stops. And there is another one useful switch 'from-line' which you can use to continue import after correcting errors.
by karlisi
Fri Aug 14, 2020 8:56 am
Forum: Beginner Basics
Topic: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?
Replies: 27
Views: 4723

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Last row says: 19:48, 21 May 2008 (EEST)
I believe most of it is obsolete. As said before, the default ruleset is the best starting point.
by karlisi
Thu Aug 13, 2020 3:40 pm
Forum: Beginner Basics
Topic: VNC with MikroTik LMT LTE18 router
Replies: 21
Views: 2988

Re: VNC with MikroTik LMT LTE18 router

So you haven't public IP address, this IP is from LMT internal network for clients, which is behind some NAT. Because they haven't dst-nat from real public IP to your router's external LTE interface, you can't establish VNC connection. You should ask LMT for real public IP. It can be dynamic, you ca...
by karlisi
Thu Aug 13, 2020 1:38 pm
Forum: Beginner Basics
Topic: VNC with MikroTik LMT LTE18 router
Replies: 21
Views: 2988

Re: VNC with MikroTik LMT LTE18 router

Do you have public IP address on LTE interface? Or from 10.0.0.0/8 network (smth like 10.44.28.53)?
by karlisi
Wed Aug 12, 2020 5:02 pm
Forum: Beginner Basics
Topic: Can't create l2tp and other vpn servers
Replies: 4
Views: 970

Re: Can't create l2tp and other vpn servers

Sure, it shouldn't work. You have no incoming firewall rules for VPN, no L2TP profiles and secrets defined, only enabled L2TP server. That's why I linked wiki and one of the many step-by-steps found by Google.
by karlisi
Mon Aug 03, 2020 3:49 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5044

Re: Am I protected with this settings?

System: hAP Ac. Os. 6.47.1. I Have only added a few rules to the default firewall rules. Do i Need to add anything else to make my hAp Ac secure? My configuration is as given below. /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!...
by karlisi
Mon Aug 03, 2020 8:16 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 30688

Re: CSS326-24G-2S+RM hangs until power cycle

On first test problem was not resolved, but we will test it more thoroughly this week.
by karlisi
Thu Jul 30, 2020 4:49 pm
Forum: General
Topic: Fix NTP Client to use FQDN
Replies: 1
Views: 523

Re: Fix NTP Client to use FQDN

"Server DNS Names" field is for FQDN of NTP servers.
by karlisi
Mon Jul 27, 2020 9:21 am
Forum: Scripting
Topic: Script to Reboot Routerboard
Replies: 16
Views: 39092

Re: Script to Reboot Routerboard

You don't need a script. Simply write in scheduler field 'On Event' /system reboot
by karlisi
Wed Jul 08, 2020 9:16 am
Forum: The Dude
Topic: winbox problem with dude [SOLVED]
Replies: 2
Views: 770

Re: winbox problem with dude [SOLVED]

You should edit path to Winbox in Dude client to actual Winbox location
https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Tools
by karlisi
Tue Jul 07, 2020 8:30 am
Forum: The Dude
Topic: Admin Password
Replies: 11
Views: 1822

Re: Admin Password

If you are speaking about CHR, you can use free version without registration, the only restriction is -
The free license level allows CHR to run indefinitely. It is limited to 1Mbps upload per interface.
https://wiki.mikrotik.com/wiki/Manual:CHR#free
by karlisi
Mon Jul 06, 2020 5:10 pm
Forum: The Dude
Topic: Admin Password
Replies: 11
Views: 1822

Re: Admin Password

Before the dude can watching all server or devices... likes windows os, linux os, HP switch or cisco routeur etc... not now is watch only MikroTik ? No, you can monitor everything as before. The only difference is, now Dude server can run on RouterOS only. It can be Mikrotik device or CHR virtual m...
by karlisi
Mon Jul 06, 2020 4:16 pm
Forum: The Dude
Topic: Admin Password
Replies: 11
Views: 1822

Re: Admin Password

Mikrotik, where Dude server part is installed.
by karlisi
Tue May 26, 2020 4:18 pm
Forum: General
Topic: Backup / Restore [SOLVED]
Replies: 10
Views: 1778

Re: Backup / Restore [SOLVED]

For rsc file, use /import instead of /system backup. Nothing changed in terms of backup and export usage, you should not use backup to restore it on another machine, even if it works.
by karlisi
Tue May 26, 2020 11:31 am
Forum: Beginner Basics
Topic: Firewall Problem
Replies: 4
Views: 896

Re: Firewall Problem

If this is all your firewall and if you disable last drop rule, your forward chain is fully open. BTW, last drop rule seems wrong, it drops all not-dstnatted connections coming from any interface, typically you want to drop this only from WAN.
by karlisi
Tue May 26, 2020 8:35 am
Forum: General
Topic: Move configuration from old to new router
Replies: 5
Views: 1126

Re: Move configuration from old to new router

You can use configuration export not the backup. It is recommended to edit exported configuration, there can be i.e. some MAC addresses You don't want to transfer to new router.
by karlisi
Mon May 25, 2020 8:58 am
Forum: Wireless Networking
Topic: Setting Time in Capac from main router. [SOLVED]
Replies: 7
Views: 1556

Re: Setting Time in Capac from main router. [SOLVED]

I doubt your gateway works as NTP server. Set ntp server DNS name to pool.ntp.org
by karlisi
Fri May 22, 2020 1:25 pm
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 106
Views: 57528

Re: Winbox v3.24 released!

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning. Anyone else seeing this? Yes, the same here Just tried it on several routers, but only see this behavior on a single device. A differentiating factor appears to be the number of records kept in the log. ...
by karlisi
Wed May 20, 2020 10:15 am
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 106
Views: 57528

Re: Winbox v3.24 released!

Hello

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning.
Anyone else seeing this?

Regards
Yes, the same here
by karlisi
Tue May 19, 2020 3:30 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1674

Re: Accessing external IP from LAN without hairpin NAT

Quick answer is - yes, if you use second IP for webserver, you don't need hairpin-nat. And you don't need the internal DNS server point to DMZ IP, point it to external IP. Be sure to not use default masquerade, use src-nat to appropriate extarnal IPs instead.
by karlisi
Mon May 18, 2020 8:38 am
Forum: Beginner Basics
Topic: VPN L2TP7IPSEC
Replies: 1
Views: 467

Re: VPN L2TP7IPSEC

Read this
viewtopic.php?f=2&t=149863#p738129
or this (although article is about Windows Vista, it applies to newer Windows versions too)
https://support.microsoft.com/en-us/hel ... in-windows
by karlisi
Wed May 06, 2020 8:23 am
Forum: Forwarding Protocols
Topic: access my webserver in local network
Replies: 7
Views: 1179

Re: access my webserver in local network

I supposed OP has static public IP, because
i access my web server from internet all thing work fine
by karlisi
Tue May 05, 2020 4:18 pm
Forum: Forwarding Protocols
Topic: access my webserver in local network
Replies: 7
Views: 1179

Re: access my webserver in local network

Did you read that at all? Look in /ip firewall nat If you have default config, you already have this add chain=srcnat out-interface=WAN action=masquerade If you can access your webserver from outside of LAN, add this and all should work add chain=dstnat dst-address=<your-public-ip-address-here> prot...
by karlisi
Tue May 05, 2020 8:38 am
Forum: Beginner Basics
Topic: L2TP/IPsec to Windows Client
Replies: 1
Views: 778

Re: L2TP/IPsec to Windows Client

by karlisi
Thu Mar 12, 2020 3:52 pm
Forum: Beginner Basics
Topic: RB1100AHx2 upgrade 6.32.4 to 6.46.4
Replies: 6
Views: 1938

Re: RB1100AHx2 upgrade 6.32.4 to 6.46.4

I'm not really sure if the RB1100 is in the "default settings are completely empty" category (like the CCR)...
Yes it is completely empty.
by karlisi
Thu Mar 12, 2020 8:48 am
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 50135

Re: v6.46.4 [stable] is released!

I have Dude 6.46.4 and many RBs 6.44.6, and they all are talking with Dude.
by karlisi
Mon Feb 24, 2020 10:07 am
Forum: Forwarding Protocols
Topic: Problem with a VPN Server Router behind Mikrotik
Replies: 4
Views: 2554

Re: Problem with a VPN Server Router behind Mikrotik

You don't need all UDP rules and all input chain rules. And the last 2 dst-nat rules too.
Try to add this (if you have default firewall ruleset you don't need it)
/ip firewall filter
add action=accept chain=frorward dst-port=1723 protocol=tcp
by karlisi
Fri Feb 14, 2020 8:34 am
Forum: RouterBOARD hardware
Topic: Ccr 1009 power issue
Replies: 12
Views: 4357

Re: Ccr 1009 power issue

I suspect there is much more problems if this resistor, in fact simple wire, is blown. Search for shorts somewhere after this resistor.
by karlisi
Mon Feb 10, 2020 3:56 pm
Forum: Beginner Basics
Topic: Help me fix my crappy firewall
Replies: 11
Views: 3908

Re: Help me fix my crappy firewall

About other firewall rules. Rule #11 is unneeded because rule #21 already does that 11 ;;; Allow portforward chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1_UPLINK 21 ;;; drop all from WAN not DSTNATed chain=forward action=drop connection-state=new co...
by karlisi
Mon Feb 10, 2020 3:47 pm
Forum: Beginner Basics
Topic: Help me fix my crappy firewall
Replies: 11
Views: 3908

Re: Help me fix my crappy firewall

At the end of this journey, nothing known should reach the last rule on the firewall (chain=input action=drop log=yes). This log will (in distant future) be sent to a central logging service with alerts attached to it. Not exactly. These SYN packets are dropped in input chain, they are coming to ro...
by karlisi
Wed Jan 29, 2020 4:44 pm
Forum: Announcements
Topic: v6.45.8 [long-term] is released!
Replies: 87
Views: 64880

Re: v6.45.8 [long-term] is released!

Long term: Released rarely, and includes only the most important fixes, upgrades within one number branch not add new features.
https://wiki.mikrotik.com/wiki/Manual:U ... _numbering
by karlisi
Tue Jan 28, 2020 8:52 am
Forum: General
Topic: L2TP IPSec behind Internet
Replies: 3
Views: 811

Re: L2TP IPSec behind Internet

First solution not usable only for clients which all are behind one NAT.
by karlisi
Fri Jan 24, 2020 2:22 pm
Forum: General
Topic: L2TP IPSec behind Internet
Replies: 3
Views: 811

Re: L2TP IPSec behind Internet

Read this, it works very well https://forum.mikrotik.com/viewtopic.php?f=2&t=149863#p738129 Another solution is to modify Windows client registry: http://woshub.com/l2tp-ipsec-vpn-server-behind/ Original MS article about this solution (works also on latest Windows versions) https://support.microsoft...
by karlisi
Fri Jan 24, 2020 1:59 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34606

Re: v6.46.2 [stable] is released!

P.S. All the "verification is a useless step", "we know better" answers are really ābols-style and it's sad to see that MikroTik has started going in this direction (a direction that is not very appreciated by IT people who might be a very notable share of current MikroTik users/customers). This is...
by karlisi
Thu Jan 23, 2020 10:09 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34606

Re: v6.46.2 [stable] is released!

What to do, if I want to cancel upgrade? - Use "/system package update cancel" feature What to do if I do not realize there is an upgrade present that needs to be cancelled, because I can't see it, and therefore fail to cancel it? Use /system package update print to check, this is what they say.
by karlisi
Thu Jan 23, 2020 10:07 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34606

Re: v6.46.2 [stable] is released!

Regarding verification of packages after download, this is of course about actually seeing the file in /file. That is not the same as doing a hash check or something, but that is not what this is about IMHO half of complaints would be eliminated, if there would be text in File window status bar, li...
by karlisi
Thu Jan 23, 2020 9:48 am
Forum: Beginner Basics
Topic: Per Port DHCP Address
Replies: 3
Views: 1086

Re: Per Port DHCP Address

It depends. Using switch alone - no.
by karlisi
Tue Jan 21, 2020 4:01 pm
Forum: Beginner Basics
Topic: Cable test [SOLVED]
Replies: 24
Views: 4479

Re: Cable test [SOLVED]

This is one fiber module, there is nothing to reverse, unlike in modules with separate tx and rx fibers.
by karlisi
Mon Jan 20, 2020 4:16 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34606

Re: v6.46.2 [stable] is released!

3) If actual upgrade at reboot fails (due to missing packages or whatever), how does the admin know what packages are leftover in Files, and how does he remove them if Files is going to pretend to him that they don't exist? There will be no leftovers, on reboot they delete all npk files in file roo...
by karlisi
Mon Jan 20, 2020 4:12 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34606

Re: v6.46.2 [stable] is released!

Can anyone post reasonable reason why it's important? Because such changes (non-cosmetic, without clear reason) are introduced without warning. BTW there is unmet side effect. Usually after ROS upgrade I uploaded additional packages to CAPsMAN for another platforms, to remote upgrade CAPs, storing ...
by karlisi
Mon Jan 20, 2020 11:15 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 34606

Re: v6.46.2 [stable] is released!

System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle. Please undo this change, it serves no useful purpose and has many disadvantages. Please revert this change. +++ I totally agree with pe1chl , macsrwe and r00t . Please revert...
by karlisi
Fri Jan 10, 2020 9:40 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 30688

Re: CSS326-24G-2S+RM hangs until power cycle

IGMP Snooping is already off.
by karlisi
Thu Jan 09, 2020 10:46 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 30688

Re: CSS326-24G-2S+RM hangs until power cycle

For now, try to disable the Flow Control for all interfaces under the "Link" menu in SwOS. Also, try to verify that other devices connected to the switch are not using any Flow Control settings. Keep an eye for any counters on the "Errors" menu. Let us know whether the switch still fails after this...
by karlisi
Tue Jan 07, 2020 9:45 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 30688

Re: CSS326-24G-2S+RM hangs until power cycle

This just happened to my CSS326-24G-2S+ running 2.10. It started balking after 17 days of uptime. Pings were fine, but any serious traffic would hang after a packet or two. Wow, it seems I'm not alone. My problem though is a little bit specific. There is no problem with wired clients, but if I conn...
by karlisi
Fri Dec 20, 2019 10:06 am
Forum: General
Topic: MT Router and Suricata as a IDS [SOLVED]
Replies: 2
Views: 1093

Re: MT Router and Suricata as a IDS [SOLVED]

Have you read this?
viewtopic.php?f=2&t=111727
by karlisi
Tue Dec 17, 2019 10:25 am
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 38880

Re: v6.46 [stable] is released!

It's an old and very clever rule for every software - never put in production new release before first bugfix subrelease, so in this case wait for 6.46.1 at least.
by karlisi
Tue Dec 17, 2019 10:20 am
Forum: Beginner Basics
Topic: VPN PPTP [SOLVED]
Replies: 6
Views: 1359

Re: VPN PPTP [SOLVED]

I added: /ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment="Allow IN PPTP/TCP1723" disabled=no /ip firewall filter add chain=output protocol=tcp dst-port=1723 action=accept comment="Allow OUT PPTP/TCP1723" disabled=no /ip firewall filter add chain=input protocol=g...
by karlisi
Tue Dec 10, 2019 10:52 am
Forum: General
Topic: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps
Replies: 5
Views: 1572

Re: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps

Seems like bug in /export, some versions back interface export was clean.
by karlisi
Tue Dec 10, 2019 10:41 am
Forum: General
Topic: Problem with RouterOS Updating
Replies: 6
Views: 1104

Re: Problem with RouterOS Updating

Pay attention if there are no other architecture package uploaded on the device! And this is really annoying. Some time ago it was possible to upload to CAPsMAN device packages for device itself and for CAPs and upgrade entire network by one reboot. Now I should first upgrade manager, then CAPs. So...
by karlisi
Mon Dec 02, 2019 4:02 pm
Forum: General
Topic: Site to Site VPN (13 Sites & 2 remote Laptops)
Replies: 18
Views: 2734

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

On Windows client it can be done manually, using Powershell or GUI.
http://eyonic.blogspot.com/2016/06/how- ... ng-in.html
by karlisi
Thu Nov 28, 2019 4:44 pm
Forum: General
Topic: PPTP VPN - access file server
Replies: 3
Views: 676

Re: PPTP VPN - access file server

Router 1 should know where to send replies.
by karlisi
Wed Nov 27, 2019 3:11 pm
Forum: General
Topic: Port 8000 forwarding for HIKVISION camera not working
Replies: 7
Views: 1576

Re: Port 8000 forwarding for HIKVISION camera not working

My public IP is dynamic It's OK with dst-nat rules. You don't need 554/tcp or 8000/udp for iVMS application. How do you connect to external address? From inside the LAN? If so, you need additional hairpin-nat rule. I do not connect to an external address. Do you mean to my public IP? I connect it f...
by karlisi
Tue Nov 26, 2019 4:47 pm
Forum: General
Topic: Port 8000 forwarding for HIKVISION camera not working
Replies: 7
Views: 1576

Re: Port 8000 forwarding for HIKVISION camera not working

It's OK with dst-nat rules. You don't need 554/tcp or 8000/udp for iVMS application.
How do you connect to external address? From inside the LAN? If so, you need additional hairpin-nat rule.
by karlisi
Tue Nov 19, 2019 4:13 pm
Forum: RouterBOARD hardware
Topic: RB951Ui-2HnD Mikrotik 5th Poe Port
Replies: 1
Views: 1924

Re: RB951Ui-2HnD Mikrotik 5th Poe Port

PoE-Out LEDs Models with dependant voltage output PoE-Out LED behaviour can differ between models, but most of them will indicate PoE-Out state on one additional LED. Devices with one voltage output will light: Red colour LED - PoE-Out port state is powered-on (auto or forced-on mode). Blinking Red ...
by karlisi
Tue Nov 19, 2019 11:08 am
Forum: General
Topic: Sudden lost of all admin passwords and admin users
Replies: 11
Views: 1672

Re: Sudden lost of all admin passwords and admin users

I suspect security holes in configuration. Post '/export hide-sensitive' here, perhaps we will see something in it.
by karlisi
Fri Nov 15, 2019 10:02 am
Forum: General
Topic: Sudden lost of all admin passwords and admin users
Replies: 11
Views: 1672

Re: Sudden lost of all admin passwords and admin users

Without details there is not much to recommend. https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter). Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded...
by karlisi
Wed Nov 06, 2019 8:11 am
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 26348

Re: Winbox v3.20 released!

What's new in v3.20: 1) Does the program Winbox use encryption to connect to hardware device? 2) Сan I use Winbox without fear in adverse networks? 3) Is there any protection in the connection from the Man in the middle (MITM) attack? From Winbox v3.14, the following security features are used: Win...
by karlisi
Wed Oct 30, 2019 11:43 am
Forum: Beginner Basics
Topic: DST-NAT to internal multiple IP Adresses
Replies: 5
Views: 829

Re: DST-NAT to internal multiple IP Adresses

Try this add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=443 protocol=tcp \ to-addresses=193.0.8.248 to-ports=443 add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=25 protocol=tcp \ to-addresses=193.0.8.248 to-ports=25 add action=dst-nat chain=dstnat dst-address=192.1...
by karlisi
Mon Oct 21, 2019 4:09 pm
Forum: Beginner Basics
Topic: Redirecting the IP address to name
Replies: 10
Views: 1550

Re: Redirecting the IP address to name

IMHO, no, you need both, hostname and domain name.
Something about this problem here
https://superuser.com/questions/1211416 ... be-ignored
by karlisi
Fri Oct 11, 2019 10:48 am
Forum: General
Topic: ESET AV detect PHP/Obfuscated.E at this forum
Replies: 1
Views: 756

Re: ESET AV detect PHP/Obfuscated.E at this forum

I am using ESET Endpoint Antivirus and have no problems with Mikrotik forum.
by karlisi
Mon Oct 07, 2019 10:20 am
Forum: General
Topic: L2TP/IPSec - Works from Android and Mikrotik but not Windows?
Replies: 3
Views: 1923

Re: L2TP/IPSec - Works from Android and Mikrotik but not Windows?

L2tp/IPSec client on Windows can work withour registry mod. NAT device in this case is whatever you want, all magic is made on Mikrotik VPN server
viewtopic.php?f=2&t=149863#p738129
by karlisi
Mon Sep 16, 2019 9:24 am
Forum: General
Topic: Laptops are trying to hack my router
Replies: 8
Views: 1896

Re: Laptops are trying to hack my router

Start with this
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
If you want to block access to router from guest network, block in firewall input chain all from this interface or IP range, allowing only needed services, i.e. DHCP, DNS, etc.
by karlisi
Fri Aug 09, 2019 1:25 pm
Forum: RouterBOARD hardware
Topic: Cant connect to RB951G-2HnD [SOLVED]
Replies: 2
Views: 1977

Re: Cant connect to RB951G-2HnD [SOLVED]

Hold the reset button about 5 sec, until ACT LED starts flashing. If holded for 10 sec or more and LED stays lit or turns off, it's too long.
https://wiki.mikrotik.com/wiki/Manual:Reset
by karlisi
Mon Aug 05, 2019 5:56 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 38338

Re: v6.45.3 [stable] is released!

I don't know what smips device is, I have hAP and two hAP lites. Maybe I don't need the whole smips package.
Processor architecture, hAP is mipsbe, hAP Lite is smips.
by karlisi
Fri Aug 02, 2019 3:28 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 52552

Re: v6.45.2 [stable] is released!

my RB750Gr3 with 6.41.5 version. After reboot it must be upgraded. But after that he did not start correctly, i can not seen him in winbox
Check Winbox version, it must be at least 3.19
by karlisi
Tue Jul 30, 2019 8:18 am
Forum: The Dude
Topic: can't add winbox as tool to The Dude
Replies: 4
Views: 2358

Re: can't add winbox as tool to The Dude

"C:\Program Files (x86)\Dude\winbox.exe" "[Device.FirstAddress]:1234" "[Device.UserName]" "[Device.Password]"
by karlisi
Mon Jul 29, 2019 11:44 am
Forum: RouterBOARD hardware
Topic: Electrical Problems Causing Failure
Replies: 10
Views: 2604

Re: Electrical Problems Causing Failure

Seems like something in network. RB2011 has external PSU which typically fails first on bad electricity.
by karlisi
Wed Jul 17, 2019 12:06 pm
Forum: Wireless Networking
Topic: Lost connection over wireless to remote station after upgrade [SOLVED]
Replies: 1
Views: 903

Re: Lost connection over wireless to remote station after upgrade [SOLVED]

To answer my own question - regulatory domain restrictions. On station wireless installation=outdoor, on AP installation=any, frequency on both 5180 MHz. For country Latvia lowest allowed frequency for outdoor installations is 5500 MHz, so on station frequency was wrong, but older ROS allowed it. Fr...
by karlisi
Tue Jul 16, 2019 9:58 am
Forum: General
Topic: NEED help with FORUM
Replies: 6
Views: 1043

Re: NEED help with FORUM

See User control panel -> Board preferences -> Edit notification option
by karlisi
Tue Jul 16, 2019 8:13 am
Forum: The Dude
Topic: Is Dude Communication Secure ?
Replies: 4
Views: 2644

Re: Is Dude Communication Secure ?

For example, part of my first question concerns SNMP to the RouterOS device itself. With secure mode enabled, does the Dude poll the RouterOS device's SNMP via the secure connection or across the WAN facing SNMP port ? Only SNMP v3 supports secure communication. Configure Dude server and devices to...
by karlisi
Mon Jul 15, 2019 4:05 pm
Forum: Wireless Networking
Topic: Lost connection over wireless to remote station after upgrade [SOLVED]
Replies: 1
Views: 903

Lost connection over wireless to remote station after upgrade [SOLVED]

Have AP and remote 2 stations to make wireless bridges. Upgraded AP and one of stations from 6.42.12 to 6.44.5 lost connection to upgraded station. Not upgraded station works. Some ideas, what is changed and is it possible to recover connection without physically accessing remote station? configurat...
by karlisi
Mon Jul 15, 2019 10:10 am
Forum: The Dude
Topic: Is Dude Communication Secure ?
Replies: 4
Views: 2644

Re: Is Dude Communication Secure ?

Secure mode - Whether to use Secure mode when connecting to a RouterOS device. Uses TLS connection

https://wiki.mikrotik.com/wiki/Manual:T ... e_settings
by karlisi
Thu Jul 11, 2019 8:18 am
Forum: The Dude
Topic: Push logs from Mikrotik to Graylog Server
Replies: 5
Views: 3755

Re: Push logs from Mikrotik to Graylog Server

Yes, logs from Mikrotik can be collected on Graylog.
by karlisi
Wed Jul 10, 2019 3:22 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 52515

Re: v6.44.5 [long-term] is released!

Every changelog must contain all changes and fixes from previous same channel release, not from previous release by number. It's about this sentence? For long-term channel there are no other intermediate releases, only long-term. Similarly as for stable channel there is no beta releases. Changelogs...
by karlisi
Wed Jul 10, 2019 2:57 pm
Forum: The Dude
Topic: Push logs from Mikrotik to Graylog Server
Replies: 5
Views: 3755

Re: Push logs from Mikrotik to Graylog Server

Are you also writing in Graylog forum? As already said there, first check if messages can reach graylog server at all and if port 2514 is open on the server.
by karlisi
Wed Jul 10, 2019 11:29 am
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 52515

Re: v6.44.5 [long-term] is released!

How do you guys propose we make such a changelog? This is the long term branch, where releases are very rare, and the jumps are very big. Imagine there could be 15 fixes, new bugs, fixes again, then the feature could be already removed, then a new one added, removed again, and then a new feature ma...
by karlisi
Wed Jul 10, 2019 9:51 am
Forum: Wireless Networking
Topic: Equipment for the conference room
Replies: 6
Views: 1803

Re: Equipment for the conference room

He's using PoE switch to provide power to APs, in place of 4 PoE injectors.
by karlisi
Tue Jul 09, 2019 2:13 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 52515

Re: v6.44.5 [long-term] is released!

Mikrotik, please, write changelogs properly! Since separating stable and long-term channels they ar incomplete, at least for long-term. Every changelog must contain all changes and fixes from previous same channel release, not from previous release by number. It will eliminate such problems, as in ...
by karlisi
Mon Jul 08, 2019 8:46 am
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 15
Views: 8928

Re: L2TP VPN can not connect on Windows 10

Thanks, I will test it.

And yes, this should go to separate topic
by karlisi
Fri Jul 05, 2019 2:44 pm
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 15
Views: 8928

Re: L2TP VPN can not connect on Windows 10

I assume you have good reasons to take all this burden (registry tweaking or implementing my trick) rather than running the L2TP/IPsec directly on the outer Mikrotik.
Don't want to enable proxy-arp on LAN interface, to access devices on internal network.
by karlisi
Fri Jul 05, 2019 1:32 pm
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 15
Views: 8928

Re: L2TP VPN can not connect on Windows 10

Ah, I see, I should explain better. l2tp server is running on other Mikrotik device behind Mikrotik router. Windows l2tp client -> remote LAN -> SOHO router -> Internet -> Mikrotik router with dst-nat -> LAN -> Mikrotik l2tp server In this setup VPN can't connect without Windows registry modification.
by karlisi
Fri Jul 05, 2019 9:05 am
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 15
Views: 8928

Re: L2TP VPN can not connect on Windows 10

(optional for clarity) add a bridge interface with no member ports attach the public IP of the NAT behind which the server Mikrotik lives to an interface on the Mikrotik as a /32 one (normally to the portless bridge one created above, but you can use any interface) /ip firewall nat print chain=dstn...
by karlisi
Thu Jul 04, 2019 3:36 pm
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 15
Views: 8928

Re: L2TP VPN can not connect on Windows 10

it is possible to run an LT2P/IPsec server on a Mikrotik behind a NATing device even without tweaking the Windows registry, the price to pay is that the clients then cannot have public IPs directly on themselves. How? We have many sites with Windows clients behind src-nat and l2tp/ipsec server behi...
by karlisi
Thu Jul 04, 2019 9:23 am
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 15
Views: 8928

Re: L2TP VPN can not connect on Windows 10

It is not clear from your post, how your network is set up. I assume, L2TP server is behind router with dst-nat to this server, and you are trying to connect from Windows client. If so, Windows registry modification is required on client computer. Read this (although article is about Windows Vista, ...
by karlisi
Fri Jun 28, 2019 8:12 am
Forum: Beginner Basics
Topic: L2TP SERVER BEHIND NAT
Replies: 4
Views: 2644

Re: L2TP SERVER BEHIND NAT

As You already found this is Windows problem. You can't solve it another way, only patching every Windows client.
by karlisi
Tue Jun 25, 2019 4:48 pm
Forum: Beginner Basics
Topic: Firewall rule for accessing winbox
Replies: 7
Views: 1889

Re: Firewall rule for accessing winbox

chain=input is for incoming packets destined for router itself.
by karlisi
Wed Jun 19, 2019 4:09 pm
Forum: RouterBOARD hardware
Topic: MTBF of RouterBOARD
Replies: 16
Views: 5379

Re: MTBF of RouterBOARD

UP! Mikrotik APs compliant with the wifi4eu minimum specs? As request from WiFi4EU 9.2.1 What are the technical requirements for the WiFi4EU Access Points? (...) Supports IEEE 802.11r Supports IEEE 802.11k Supports IEEE 802.11v (...) These protocols are missing in Mikrotik products, so they are not...
by karlisi
Wed May 29, 2019 4:23 pm
Forum: General
Topic: Enable NTP Client [SOLVED]
Replies: 4
Views: 957

Re: Enable NTP Client [SOLVED]

Yes
by karlisi
Wed May 29, 2019 9:46 am
Forum: General
Topic: Simple config but Internet not working.
Replies: 1
Views: 452

Re: Simple config but Internet not working.

Try this
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether13WAN
Not related to connection problems, but You have very insecure firewall rules. In input chain You should block everything, allowing only needed inputs. Also, forward chain is empty.
by karlisi
Fri May 24, 2019 10:04 am
Forum: Beginner Basics
Topic: Ban IP's / Drop connections of RDP Brute forcers
Replies: 6
Views: 1302

Re: Ban IP's / Drop connections of RDP Brute forcers

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain. In simple english, why drop is in input chain, not in raw? Perhaps linked wiki is intended to show the principle, not working configuration. You never know what other firewall rules are ...
by karlisi
Fri May 17, 2019 8:26 am
Forum: Wireless Networking
Topic: CAPsMAN channel selection
Replies: 7
Views: 3889

Re: CAPsMAN channel selection

It's OK if these CAPs are far away one from other. You can reduce reselect interval to force CAPs to check more often for less busy frequency.
by karlisi
Mon Apr 29, 2019 3:27 pm
Forum: General
Topic: Ipsec error in Log [SOLVED]
Replies: 4
Views: 992

Re: Ipsec error in Log [SOLVED]

i don't use IPSEC at all how can i disable it?
Review firewall input chain, perhaps you have unnecessary ports or protocols open. Best practice is to close all, except only those you are using.
by karlisi
Mon Apr 29, 2019 1:32 pm
Forum: General
Topic: Ipsec error in Log [SOLVED]
Replies: 4
Views: 992

Re: Ipsec error in Log [SOLVED]

Also what is the TCP connection established towards my router? These are connections to your PPTP server. 'TCP connection established' not necessarily means someone was able to get in, it means someone established connection and was able to begin the authentication process. The same for ipsec error...
by karlisi
Tue Apr 23, 2019 11:03 am
Forum: General
Topic: POE Out [SOLVED]
Replies: 4
Views: 674

Re: POE Out [SOLVED]

Typical RB951 power consumption is about 0.13A on startup and about 0.1A when running. If this is 24V 0.8A power adapter then yes, you can, because both RBs will use 0.26A max.
by karlisi
Mon Apr 15, 2019 5:46 pm
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 3739

Re: L2TP with RADIUS

Try to use simpler RADIUS configuration
/radius
add address=192.168.7.70 secret=AgileroSecret123 service=ppp src-address=192.168.7.1

I can't ping my AD Server (192.168.7.70) using udp 1812/1813

You tried this from Mikrotik?
by karlisi
Fri Apr 12, 2019 10:22 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 3739

Re: L2TP with RADIUS

If L2TP client is Windows, run this command in Windows administrative command window (cmd -> run as administrator), then restart Windows:
reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
by karlisi
Wed Apr 10, 2019 11:48 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 3739

Re: L2TP with RADIUS

Unable to access LAN from VPN client
viewtopic.php?t=85962
by karlisi
Wed Apr 10, 2019 11:44 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 3739

Re: L2TP with RADIUS

For Mikrotik and Windows AD integration I used this tutorial
https://mivilisnet.wordpress.com/2018/1 ... indows-ad/
by karlisi
Mon Mar 04, 2019 10:02 am
Forum: Wireless Networking
Topic: CAPSMAN - Upgrade Policy - Require same version - should always work - suggestion
Replies: 3
Views: 1304

Re: CAPSMAN - Upgrade Policy - Require same version - should always work - suggestion

You can download and upload the latest release of RouterOS in the files section of your CHR then point cAPs via CAPsMAN to pickup the latest ROS from there and update. Could be MIPSBE or any other. There is one problem. You should first upgrade the CAPsMAN, and after that upload files for other pla...
by karlisi
Mon Feb 25, 2019 4:32 pm
Forum: General
Topic: Upgrade fails if .npk for other platforms are present
Replies: 0
Views: 673

Upgrade fails if .npk for other platforms are present

If I remember correctly, some time ago it was possible to upload to CAPsMAN router all needed packages for APs and router itself. After restart router was upgraded and all APs too, if "suggest same version" upgrade policy was enabled. Now, if there are additional .npk files uploaded RouterOS upgrade...
by karlisi
Thu Feb 21, 2019 4:28 pm
Forum: Wireless Networking
Topic: Identify which CAPsMAN interface belongs to which AP [SOLVED]
Replies: 2
Views: 663

Re: Identify which CAPsMAN interface belongs to which AP [SOLVED]

/caps-man provisioning add name-format=identity
by karlisi
Fri Feb 15, 2019 1:11 pm
Forum: Scripting
Topic: Contribute backup script to FTP [SOLVED]
Replies: 2
Views: 821

Re: Contribute backup script to FTP [SOLVED]

Sometimes it's good to have configuration export too:
/system backup save name=$filename password=xxxxx
:delay 3s
/export file=$filename
by karlisi
Mon Feb 11, 2019 10:52 am
Forum: RouterBOARD hardware
Topic: Mikrotik Poe Cascading
Replies: 6
Views: 1254

Re: Mikrotik Poe Cascading

We have in some sites RB260GSP -> RB951Ui-2HnD -> RB951Ui-2HnD chained, somewhere 2 chains on one switch, without problems for more than 3 years. From my experience RB951 power consumption is about 130mA on boot, about 95mA when booted, so theoretically we can put such chains on all 4 outputs.
by karlisi
Fri Feb 08, 2019 2:54 pm
Forum: Beginner Basics
Topic: Cloud Router Switch administration [SOLVED]
Replies: 11
Views: 1443

Re: Cloud Router Switch administration [SOLVED]

Use one of combo ports for connection to PC.
Do You see device in Winbox? Try to connect using MAC address.
https://i.mt.lv/cdn/rb_files/1539897967 ... lus-qg.pdf
by karlisi
Fri Feb 01, 2019 2:34 pm
Forum: General
Topic: Winbox Urgent Suggestion
Replies: 15
Views: 1672

Re: Winbox Urgent Suggestion

i have the right to use a winbox version that is compatible with my OS
As the Winbox name suggests, it's a Windows Box.
by karlisi
Thu Jan 10, 2019 10:04 am
Forum: Beginner Basics
Topic: Noob firewall question - being brute forced
Replies: 7
Views: 959

Re: Noob firewall question - being brute forced

If I understand correctly these could be commands I'd need to use after adding all WAN addresses to a custom contacts list MyContactList?(I replaced RDP /w TCP as per @mkx comment and used 8.8.8.8 as server IP for this example) Do I need to use the WinBox software to execute this or can I do it fro...
by karlisi
Fri Dec 28, 2018 3:47 pm
Forum: RouterBOARD hardware
Topic: RB750 Aluminum Electrolytic Capacitor SMD need replacement
Replies: 3
Views: 1041

Re: RB750 Aluminum Electrolytic Capacitor SMD need replacement

If there is j not capital J after 330, then it is 330uF 6.3V 105*C
by karlisi
Thu Dec 20, 2018 4:31 pm
Forum: Beginner Basics
Topic: Strange UDP Packet to 81.198.87.240 [SOLVED]
Replies: 1
Views: 759

Re: Strange UDP Packet to 81.198.87.240 [SOLVED]

# nslookup cloud.mikrotik.com
Name: cloud.mikrotik.com
Address: 81.198.87.240
by karlisi
Fri Dec 14, 2018 10:19 am
Forum: General
Topic: Feature request: CAPsManager - roaming
Replies: 80
Views: 29022

Re: Feature request: CAPsManager - roaming

The project requirements for WiFi4EU are:
(..)
support IEEE 802.11r
(..)
But unfortunately Microtik does not meet the requirements.
We also wanted to participate in this project to extend our infrastructure. It seems, EU money will go to another company. Perhaps Mikrotik don't need this money?
by karlisi
Thu Dec 13, 2018 9:46 am
Forum: Wireless Networking
Topic: cAP ac: Alternative brackets
Replies: 4
Views: 1129

Re: cAP ac: Alternative brackets

Can you clarify about the cable not bending enough to fit into the wall? I just don't see the issue. Subject: 19.0 What is the Minimum Bending Radius for a Cable? According to EIA SP-2840A (a draft version of EIA-568-x) the minimum bend radius for UTP is 4 x cable outside diameter, about one inch. ...
by karlisi
Tue Dec 11, 2018 2:05 pm
Forum: Beginner Basics
Topic: Router Optimization
Replies: 7
Views: 2097

Re: Router Optimization

I hope you have also some rules to protect the router from attacks, not only those shown, and your router isn't transferring any malicious traffic too. IMHO it's enough to have 1 rule instead of 3 in forward chain, not needed to specify ports /ip firewall filter add action=fasttrack-connection chain...
by karlisi
Tue Dec 04, 2018 10:28 am
Forum: General
Topic: Tls host not work
Replies: 9
Views: 5093

Re: Tls host not work

It works, at least on 6.42.10
You should remove port, leaving only tls-host. And this rule must be before 'accept established, related' rule.
by karlisi
Thu Nov 22, 2018 10:40 am
Forum: General
Topic: don´t upgrade last version MKT1100AHx2
Replies: 1
Views: 444

Re: don´t upgrade last version MKT1100AHx2

What's in the log?
by karlisi
Tue Nov 20, 2018 2:00 pm
Forum: Beginner Basics
Topic: MIkrotik backup script
Replies: 4
Views: 991

Re: MIkrotik backup script

I would have added Year :)
It wasn't in OP requirements ;)
by karlisi
Tue Nov 20, 2018 10:10 am
Forum: Beginner Basics
Topic: MIkrotik backup script
Replies: 4
Views: 991

Re: MIkrotik backup script

Something like this? :local filename; :local date [/system clock get date]; :local name [/system identity get name]; :local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local varMonth [:pick $date 0 3]; :set varMonth ([ :find $months $varMonth -1 ] + 1); :if ($v...
by karlisi
Wed Nov 07, 2018 4:42 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 4027

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

Not related to VPN problems, but /ip firewall rules are not in optimal order. In input chain put allow established, related rules on top.
by karlisi
Wed Nov 07, 2018 4:36 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 4027

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

Try this
/ppp profile
add dns-server=192.168.90.254 local-address=192.168.90.254 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
by karlisi
Wed Nov 07, 2018 3:45 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 4027

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

It's very hard to guess what is wrong only from video and screens. Can You post output from /export hide-sensitive ?
by karlisi
Tue Nov 06, 2018 10:01 am
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 2956

Re: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

I don't think they overlap and I would implement Dude, Splunk and, in place of Cacti, Zabbix.
Dude for management and very basic monitoring but it can do more.
Splunk (I am using it's alternative Graylog) for log collecting, log analyzing and alerting.
Zabbix for monitoring, graphing and alerting.
by karlisi
Thu Oct 25, 2018 4:39 pm
Forum: General
Topic: Redirect request by source IP in a scenario with Server Microsoft (DC)
Replies: 3
Views: 672

Re: Redirect request by source IP in a scenario with Server Microsoft (DC)

For domain-joined workstations it is mandatory to have AD aware DNS servers configured. If You will configure DNS server on them, which knows nothing about AD, it will break domain authentication.
by karlisi
Wed Oct 24, 2018 10:30 am
Forum: Beginner Basics
Topic: Mikrotik as a switch with wifi
Replies: 8
Views: 2234

Re: Mikrotik as a switch with wifi

Try this
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n frequency=2422 name=wlan2.4 \
ssid=NETGEAR48 mode=station-pseudobridge
by karlisi
Thu Sep 20, 2018 2:34 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 117407

Re: Winbox vulnerability: please upgrade

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
Everything outside default protection rules. It should be only warning, nothing else.
by karlisi
Thu Sep 20, 2018 12:41 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 117407

Re: Winbox vulnerability: please upgrade

In some cases Windows 10 forces user to restart computer not letting to do anything else. It's almost the same, except if user wants to sit and look at smth like "You must restart Your computer to finish important update" forever. It's offtopic, imho. Mikrotik should not change upgrade to automatic ...
by karlisi
Fri Sep 14, 2018 12:14 pm
Forum: General
Topic: NAT Setup: Access from internal network is OK, but from internet show mikrotik login page
Replies: 1
Views: 691

Re: NAT Setup: Access from internal network is OK, but from internet show mikrotik login page

First, it's not good to open all webserver's ports to whole world. dst-nat rules should be something like this chain=dstnat action=dst-nat to-addresses=192.168.89.254 to-ports=443 protocol=tcp dst-address=2.184.70.46 dst-port=443 log=no chain=dstnat action=dst-nat to-addresses=192.168.89.254 to-port...
by karlisi
Wed Aug 29, 2018 10:57 am
Forum: Wireless Networking
Topic: CAPsMAN - can't get 5GHz band on wAP ac to work [SOLVED]
Replies: 15
Views: 6694

Re: CAPsMAN - can't get 5GHz band on wAP ac to work [SOLVED]

See the CAPsMAN configuration below. The wAP ac has only ever been configured as CAP using the button. To me the configuration looks fine, and I'm not seeing any errors (such as "no supported channel"). But I'm new to CAPsMAN, probably I'm missing something obvious? [admin@MikroTik] /caps-man chann...
by karlisi
Tue Jul 31, 2018 3:10 pm
Forum: General
Topic: MT Forum problems (posting/upload)
Replies: 4
Views: 1117

Re: MT Forum problems (posting/upload)

After posting, a white screen is shown instead of the usual next screen.
However, the posting appears when reloading the forum.
It's fixed, nice
by karlisi
Tue Jul 31, 2018 9:53 am
Forum: Beginner Basics
Topic: Troublesome Firewall rule (NAT?)
Replies: 6
Views: 1070

Re: Troublesome Firewall rule (NAT?)

Perhaps it's a typo, in text you have 10.0.0.155, in NAT rule IP is 10.0.0.55 Remove from NAT rule src-port=8082 and add in-interface=your-wan-interface (or dst-address=your-wan-ip) to it. And, you don't need this firewall rule, except, if you are blocking all tcp ports in forward chain (unlikely). ...
by karlisi
Mon Jul 30, 2018 10:48 am
Forum: General
Topic: problem accessing the mikrotik VM
Replies: 1
Views: 373

Re: problem accessing the mikrotik VM

You can log in from VM management.
BTW version 6.38.3 is vulnerable to at least 2 threats, consider to upgrade, more on https://blog.mikrotik.com/security/
by karlisi
Mon Jul 16, 2018 11:44 am
Forum: General
Topic: How do i access mikrotik, i forwarded the only service port (winbox) to an nother ip by accident [SOLVED]
Replies: 3
Views: 666

Re: How do i access mikrotik, i forwarded the only service port (winbox) to an nother ip by accident [SOLVED]

If You can access router physically and know IP address from which it is accessible, connect it directly to Your computer, set on computer this (wrong) IP address and that's all. If not, ask ISP, sorry.
by karlisi
Fri Jul 13, 2018 3:28 pm
Forum: General
Topic: Automatically upgrade CAPs MIPSBE over CAPsMAN ARM
Replies: 2
Views: 1436

Re: Automatically upgrade CAPs MIPSBE over CAPsMAN ARM

Upload mipsbe package to RB3011.
Configure CAPsMAN accordingly (change path if needed)
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
That's all. The upgrade process will start immediatelly, all CAPs will restart as a result.
by karlisi
Wed Jul 11, 2018 8:45 am
Forum: Beginner Basics
Topic: Connecting routers through POE ports
Replies: 4
Views: 1001

Re: Connecting routers through POE ports

Seems like it's quite possible to have two units daisy-chained (even using PoE injector), but not more. I can confirm this, we have daisy chained two RB951Ui-2HnD and two hAP in many places. On startup they are consuming from power unit about 150mA each, so, perhaps 3 units chained are acceptable, ...
by karlisi
Wed Jul 11, 2018 8:22 am
Forum: General
Topic: PPTP question [SOLVED]
Replies: 3
Views: 869

Re: PPTP question [SOLVED]

It means someone trying to get in. These messages are written for every attempt, successful or unsuccessful. For unsuccessful authentication typically there are no additional messages (default configuration). If authentication was successful, there should be message like 'username logged in'.
by karlisi
Tue Jul 10, 2018 10:51 am
Forum: Beginner Basics
Topic: How specific do you make your FW rules?
Replies: 4
Views: 954

Re: How specific do you make your FW rules?

I have from 9 to 60 rules on different sites, it depends. 30 rules for 2 WANs is not so much, I think.
by karlisi
Fri Jul 06, 2018 2:42 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 38141

Re: Winbox v3.16 released!

Hello everybody,
Faton
Start new topic, please! This is for problems with Winbox v3.16 only!
by karlisi
Wed Jul 04, 2018 10:32 am
Forum: Wireless Networking
Topic: CAPsMAN very bad performance
Replies: 2
Views: 2145

Re: CAPsMAN very bad performance

Try a different channel.
Or better, let the CAP choose the channel and to avoid conflicts with other devices set reselect channel every 1 minute
/caps-man channel
add band=2ghz-g/n reselect-interval=1m name="ch 2"
by karlisi
Fri Jun 22, 2018 12:30 pm
Forum: General
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 23585

Re: The security flaw for Hajime is closed by the firewall

maybe it infected the backup file ?
Do you restored from .backup file not from configuration backup (.rsc file)?
by karlisi
Wed Jun 13, 2018 3:58 pm
Forum: Beginner Basics
Topic: Windows Domain Controller blocked by Mikrotik firewall?
Replies: 9
Views: 1962

Re: Windows Domain Controller blocked by Mikrotik firewall?

Your AD DC IP is 192.168.0.200 and have DHCP server on it? If so, why to use DHCP on Mikrotik? 2 DHCP servers in one network is a big mess. Disable DHCP server and DHCP relay on Mikrotik and use Windows DHCP. Configure it properly to give Windows DNS server address as only DNS server for clients. Re...
by karlisi
Mon Jun 11, 2018 5:15 pm
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 3889

Re: Capsman scheduler

And if you disable all provisioning rules by hand and execute provision on all radios, the interfaces are still there?
by karlisi
Mon Jun 11, 2018 1:20 pm
Forum: General
Topic: MT Router honeypot.
Replies: 20
Views: 3256

Re: MT Router honeypot.

This can be fun :) I suggest to forward the log to some syslog server, for some analysis later.
by karlisi
Mon Jun 11, 2018 8:39 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 3889

Re: Capsman scheduler

Are you sure your APs are managed by CAPsMAN? Are they on /capsman interface ?
by karlisi
Fri Jun 08, 2018 8:33 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 3889

Re: Capsman scheduler

Post export from /capsman provisioning and /capsman configuration please.
by karlisi
Tue Jun 05, 2018 11:14 am
Forum: RouterBOARD hardware
Topic: CRS317 vertical operation? [SOLVED]
Replies: 3
Views: 1067

Re: CRS317 vertical operation? [SOLVED]

There are heat pipes inside the case to transfer heat to external radiator. There is no fan on radiator and radiator ribs are designed for horizontal use of the case. You can use it vertically but it needs temp monitoring and perhaps some additional fan for external cooling.
by karlisi
Tue Jun 05, 2018 9:34 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 3889

Re: Capsman scheduler

So, something wrong with configurations included in these provisionings.
by karlisi
Mon Jun 04, 2018 2:19 pm
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 3889

Re: Capsman scheduler

Only the first enabled provisioning rule will be in effect, if no additional filtering parameters (hw-supported-modes, identity-regexp, etc.) are set. If you want to disable all 4 provisioning rules at once, try my scripts: /caps-man provisioning enable numbers=[find] :delay 1 /caps-man radio provis...
by karlisi
Mon Jun 04, 2018 10:34 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 3889

Re: Capsman scheduler

Try on first line
/caps-man provisioning disable numbers=[find]
And on second script too. This should disable and enable all configurations.
by karlisi
Wed May 30, 2018 11:05 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 3889

Re: Capsman scheduler

You already have provisioning rules configured. Create these scripts and schedule to run them.

to enable
/caps-man provisioning enable 0    
:delay 1
/caps-man radio provision numbers=[find]
to disable
/caps-man provisioning disable 0 
:delay 1
/caps-man radio provision numbers=[find]
by karlisi
Wed May 23, 2018 2:13 pm
Forum: General
Topic: ICMP issue in src-nat
Replies: 2
Views: 673

Re: ICMP issue in src-nat

This is expected, src-nat works for outgoing packets from internal network to outside. To deliver packets from outside to internal network You need dst-nat rule.
by karlisi
Mon May 21, 2018 3:53 pm
Forum: Beginner Basics
Topic: What do i need to learn to become proficient quickly?
Replies: 20
Views: 2536

Re: What do i need to learn to become proficient quickly?

Strange link that was.
Perhaps, but I found it very useful. And it's from Mikrotik :)
by karlisi
Wed May 09, 2018 8:22 am
Forum: Virtualization
Topic: how to install chr on xen server
Replies: 1
Views: 2434

Re: how to install chr on xen server

I imported OVA package, went smooth.
by karlisi
Wed Mar 14, 2018 3:01 pm
Forum: The Dude
Topic: Is possible to analyze a network with PC with Windows and The Dude?
Replies: 1
Views: 827

Re: Is possible to analyze a network with PC with Windows and The Dude?

No, You will need Windows for Dude client and one Mikrotik RouterOS device with dude package installed. It is not necessary to purchase Mikrotik hardware, if You haven't one. You can use CHR on virtual machine https://wiki.mikrotik.com/wiki/Manual:CHR
by karlisi
Fri Feb 16, 2018 10:11 am
Forum: Beginner Basics
Topic: Block websites http and https without Web Proxy / 100% works.
Replies: 17
Views: 17821

Re: Block websites http and https without Web Proxy / 100% works.

You can check this configuration, all IPs are Facebook IPs. Not exactly. Big names, as FB, Google, Microsoft, hosts their data on many data-centers worldwide, which hosts also data for many other organizations. By blocking their addresses, You will block all services from these IP, i.e., software u...
by karlisi
Thu Jan 25, 2018 8:35 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 96343

Re: v6.41 [current]

Could we expect that 6.40.5 will become "bugfix" or 6.40.6 with fixes from 6.41?

6.40.5 is the last with "old-known-bridge-implementation" technology and not all want to upgrade to "new-better-but-not-too-familiarized" one.
+1001
by karlisi
Mon Jan 22, 2018 9:08 am
Forum: Beginner Basics
Topic: How to block SSH attackers after 3 bad logins?
Replies: 19
Views: 9065

Re: How to block SSH attackers after 3 bad logins?

This will block ssh after 2nd time. To block after 4th time using this method, use 3 temporary stages and then add to blacklist. I made something like this, don't know if it's ok. I somebody try to ssh 4 times in 15 seconds, it will block him. What do you think? add action=drop chain=input comment="...
by karlisi
Mon Jan 15, 2018 2:50 pm
Forum: Beginner Basics
Topic: How to block SSH attackers after 3 bad logins?
Replies: 19
Views: 9065

Re: How to block SSH attackers after 3 bad logins?

If You want to keep ssh wide open, this is working configuration to add some brute-forcers to blacklist. Then You can use this blacklist to fully block these addresses (be careful, You can block yourself too) or only block ssh and perhaps some other sensitive ports. add action=jump chain=input comme...
by karlisi
Fri Jan 12, 2018 10:26 am
Forum: General
Topic: capsman V2 package - cant find it to update my routerboard and Cap [SOLVED]
Replies: 1
Views: 832

Re: capsman V2 package - cant find it to update my routerboard and Cap [SOLVED]

CAPsMAN v2 is included by default in latest routeros (both bugfix and current).
by karlisi
Wed Dec 20, 2017 4:55 pm
Forum: Wireless Networking
Topic: CAPsMAN with two SSIDs
Replies: 10
Views: 4925

Re: CAPsMAN with two SSIDs

Perahps try simpler configuration /caps-man configuration add channel=loader datapath=loader mode=ap name=cfg1 security=security1 ssid=loader-new add datapath=free mode=ap name=free-new security=security2 ssid=free-new /caps-man provisioning add action=create-dynamic-enabled master-configuration=cfg...
by karlisi
Wed Dec 20, 2017 10:26 am
Forum: Wireless Networking
Topic: CAPsMAN with two SSIDs
Replies: 10
Views: 4925

Re: CAPsMAN with two SSIDs

Try without specifying interfaces
by karlisi
Wed Dec 20, 2017 8:23 am
Forum: Wireless Networking
Topic: CAPsMAN with two SSIDs
Replies: 10
Views: 4925

Re: CAPsMAN with two SSIDs

It's impossible to see Your configuration from screenshots. Please post output from /caps-man export
by karlisi
Fri Dec 08, 2017 10:21 am
Forum: General
Topic: Using Splunk to analyse MikroTik logs
Replies: 98
Views: 21400

Re: Using Splunk to analyse MikroTik logs

Took little test yesterday. Great tool for log analysis. One big problem for free licence, no email alerts :(
by karlisi
Fri Nov 24, 2017 10:47 am
Forum: General
Topic: Tool: Realtime per IP traffic monitor for home/office
Replies: 291
Views: 330053

Re: Tool: Realtime per IP traffic monitor for home/office

Many thanks for this tool!
by karlisi
Fri Nov 24, 2017 9:41 am
Forum: Beginner Basics
Topic: Separation of traffic from different networks to different external addresses on 1 WAN port
Replies: 2
Views: 643

Re: Separation of traffic from different networks to different external addresses on 1 WAN port

You should have 2 IP addresses on WAN interface, then dst-nat like this add action=src-nat chain=srcnat out-interface=WAN src-address=10.1.1.0/24 to-addresses=1.1.1.9/29 add action=src-nat chain=srcnat out-interface=WAN src-address=10.2.1.0/24 to-addresses=1.1.1.10/29 Your example for example for ne...
by karlisi
Wed Nov 08, 2017 9:56 am
Forum: Wireless Networking
Topic: CAPsMAN manager can't manage its own wireless [SOLVED]
Replies: 20
Views: 24448

Re: CAPsMAN manager can't manage its own wireless [SOLVED]

Check discovery interface on CAP settings. Should be LAN interface.
by karlisi
Fri Nov 03, 2017 1:58 pm
Forum: General
Topic: DNS in mikrotik and DC on Windows Server
Replies: 3
Views: 7235

Re: DNS in mikrotik and DC on Windows Server

I understand why you want Mikrotik to be the second DNS server, but in Windows AD this is not good idea. You should configure Windows AD DCs as only DNS servers for your LAN. You can then configure Windows DNS to forward requests to your provider's DNS servers directly, or to Mikrotik. On Mikrotik u...
by karlisi
Mon Oct 30, 2017 10:04 am
Forum: General
Topic: Backup and restore Router OS
Replies: 1
Views: 513

Re: Backup and restore Router OS

Do not restore backup on another device. To transfer configuration to another device use export and import
https://wiki.mikrotik.com/wiki/Manual:C ... Management
by karlisi
Fri Oct 27, 2017 8:10 am
Forum: General
Topic: Article about new "Reaper" or "loTroop" Botnet
Replies: 6
Views: 1646

Re: Article about new "Reaper" or "loTroop" Botnet; lists Mikrotik as vulnerable

If You read carefully, these are issues not related to this attack, only can be potentially exploited (at least, Checkpoint thinks so). As said before in one of posts in this forum, if You are on latest versions of ROS, You are OK.
by karlisi
Thu Oct 12, 2017 11:04 am
Forum: Beginner Basics
Topic: forward chain: no packets go through [SOLVED]
Replies: 10
Views: 1894

Re: forward chain: no packets go through [SOLVED]

Which ports are in your bridge?
Also post nat rules.
by karlisi
Thu Oct 12, 2017 10:56 am
Forum: Wireless Networking
Topic: CAPSMAN + Guest WiFi
Replies: 16
Views: 10595

Re: CAPSMAN + Guest WiFi

Next time don't post sensitive data, like passwords, publicly.
Disable this nat rule and check if problem is resolved
add action=masquerade chain=srcnat out-interface=bridgeopen src-address=\
    10.35.0.0/24
by karlisi
Mon Oct 02, 2017 10:02 am
Forum: General
Topic: does PPTP Server requires GRE srcnat masquerading ?
Replies: 2
Views: 973

Re: does PPTP Server requires GRE srcnat masquerading ?

but the question is do i need to srcnat masquerade GRE protocol to outside in firewal nat rules and if so how do i do this ? do i need to specify source address ranges ? connection type pptp for this masquerading ? how does the GRE protocol goes back to the internet ? No special src-nat rules for P...
by karlisi
Mon Oct 02, 2017 9:54 am
Forum: General
Topic: does PPTP Server requires GRE srcnat masquerading ?
Replies: 2
Views: 973

Re: does PPTP Server requires GRE srcnat masquerading ?

Hi
I have setup pptp server with ip pool, ppp profile, secret and pptp server and firewall filter rules for tcp port 1732 and protocol GRE
PPTP port is 1723. I have only this port open and no rules for GRE.
by karlisi
Thu Sep 28, 2017 8:17 am
Forum: General
Topic: CAPsMAN provisioning problem
Replies: 1
Views: 807

Re: CAPsMAN provisioning problem

Try to change order of provisioning rules, put now first rule with both interfaces on the bottom of list.
by karlisi
Wed Sep 27, 2017 4:04 pm
Forum: General
Topic: One Eth Port - 2 gateway addresses
Replies: 6
Views: 1216

Re: One Eth Port - 2 gateway addresses

Don't mess with routes, make src-nat rules for each of subnets like this: /ip firewall nat add action=src-nat chain=srcnat out-interface=WAN \ src-address=192.168.10.0/24 to-addresses=172.16.1.1/32 add action=src-nat chain=srcnat out-interface=WAN \ src-address=192.168.20.0/24 to-addresses=172.16.2....
by karlisi
Tue Sep 26, 2017 12:21 pm
Forum: General
Topic: 2 IP adresses on 1 Eth port
Replies: 1
Views: 568

Re: 2 IP adresses on 1 Eth port

Yes and yes.
by karlisi
Tue Sep 26, 2017 10:40 am
Forum: Wireless Networking
Topic: Caps selecting same channel
Replies: 31
Views: 11168

Re: Caps selecting same channel

This has revealed two other issues that I think are bugs. Those two are: 1) reset-configuration deletes all files on unit. This is causing problem when I want a script to run after reset - the script file is no longer there! This not a bug. Place files inside flash directory and they will be there ...
by karlisi
Mon Sep 25, 2017 9:39 am
Forum: Wireless Networking
Topic: Caps selecting same channel
Replies: 31
Views: 11168

Re: Caps selecting same channel

As far as I understand, Mikrotik chooses least busy wireless channel only on startup and after that never checks if it is the best (least busy). So, after CAPsMAN restart, if both APs are starting simultaneously, they can choose the same free channel. Starting from version 6.39 it is possible to tel...
by karlisi
Mon Sep 25, 2017 8:33 am
Forum: SwOS
Topic: CSS switch multicast problem in classrom ?
Replies: 3
Views: 2399

Re: CSS switch multicast problem in classrom ?

This the most useful post in every technical forum - "thanks, problem solved!"... and no details, no followup, nothing :evil:
by karlisi
Thu Sep 14, 2017 11:46 am
Forum: General
Topic: SNTP client, unable to synchronize time, error: server-ip-mismatch
Replies: 24
Views: 6782

Re: SNTP client, unable to synchronize time, error: server-ip-mismatch

SNTP client cannot synchronize time, error server-ip-mismatch.(
This error is on router? Or You are using router as NTP server and this error is on clients?
by karlisi
Thu Aug 31, 2017 1:35 pm
Forum: General
Topic: Is missing connection-state=invalid hugely bad?
Replies: 5
Views: 4445

Re: Is missing connection-state=invalid hugely bad?

So should I be worried that my initial Firewall configuration missing those "Drop Invalid connections" rules?
No.
These examples are a little outdated, i.e., established and related can be in one rule.
add action=accept chain=forward comment="" connection-state=established,related
by karlisi
Wed Aug 23, 2017 10:36 am
Forum: Wireless Networking
Topic: CAPsMAN and guestwifi, no internet on guestwifi
Replies: 20
Views: 2752

Re: CAPsMAN and guestwifi, no internet on guestwifi

What is not working:
Connect to internet from "wifiguests"
What exactlynot working? http? ping to 8.8.8.8? ping to external ip of router? everything?
by karlisi
Tue Aug 22, 2017 4:00 pm
Forum: General
Topic: CHR doesn't survive XenServer live migration.
Replies: 4
Views: 1793

Re: CHR doesn't survive XenServer live migration.

Yes, still no xentools available for CHR, still crashing on live migration.
by karlisi
Tue Aug 22, 2017 3:55 pm
Forum: Wireless Networking
Topic: CAPsMAN and guestwifi, no internet on guestwifi
Replies: 20
Views: 2752

Re: CAPsMAN and guestwifi, no internet on guestwifi

You need only one rule in nat chain srcnat.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
Just curiosity - there are any dropped connections in output chain (rule with many email related ports)? IMHO this rule is useless.
by karlisi
Tue Aug 22, 2017 8:55 am
Forum: Wireless Networking
Topic: CAPsMAN and guestwifi, no internet on guestwifi
Replies: 20
Views: 2752

Re: CAPsMAN and guestwifi, no internet on guestwifi

Please post export of nat rules. In similar configuration I have only one nat rule, not 2, perhaps there is something wrong.
by karlisi
Mon Jul 31, 2017 10:21 am
Forum: General
Topic: Zabbix SNMP OID - Interface Traffic
Replies: 1
Views: 3887

Re: Zabbix SNMP OID - Interface Traffic

https://share.zabbix.com/search?searchw ... arch_cat=1
From my experience none of them are perfect without some modifications. Just experiment.
by karlisi
Thu Jul 20, 2017 11:34 am
Forum: Beginner Basics
Topic: Is it possible to script when Wireless WLAN comes on?
Replies: 14
Views: 1544

Re: Is it possible to script when Wireless WLAN comes on?

What exactly is not working?
by karlisi
Mon Jul 03, 2017 11:30 am
Forum: Beginner Basics
Topic: Routing requests from LAN back into LAN
Replies: 29
Views: 12318

Re: Routing requests from LAN back into LAN

You should add address list entry exactly as said, using DNS name not IP address
/ip firewall address-list
add address=sam9s.synology.me list=host_synology
If router have correct DNS entries (IP -> DNS), it will resolve IP address and add them to this entry.
Then address_list will work correctly.
by karlisi
Wed Jun 21, 2017 10:24 am
Forum: RouterBOARD hardware
Topic: Repair of RB2011UAS-2HiD-IN
Replies: 1
Views: 782

Re: Repair of RB2011UAS-2HiD-IN

Ask Your distributor.
https://mikrotik.com/rma
by karlisi
Wed Jun 21, 2017 8:43 am
Forum: RouterBOARD hardware
Topic: USB Battery to power routerboard
Replies: 18
Views: 3782

Re: USB Battery to power routerboard

Thank you all for your responses. I was hoping to use the main grid to power the devices and when the power went down shift to the usb battery. So we would not need to be charging the batteries and using them at the same time. Sure, You can, but You should go to device and plug in this battery ever...
by karlisi
Tue Jun 13, 2017 2:54 pm
Forum: Beginner Basics
Topic: Block DST-NAT RDS Users
Replies: 10
Views: 2231

Re: Block DST-NAT RDS Users

There is something wrong with configuration. Post your configuration /ip firewall filter export and /ip firewall nat export here.
by karlisi
Fri May 12, 2017 9:09 am
Forum: Wireless Networking
Topic: CAPsMAN Setup Advice Please
Replies: 9
Views: 1753

Re: CAPsMAN Setup Advice Please

One suggestion - don't use 'capsman' as name for bridge, it can bring some confusion later. Actually this bridge serves as interface for entire LAN not only for CAPsMAN.
by karlisi
Fri May 12, 2017 9:04 am
Forum: Wireless Networking
Topic: CAPsMAN Setup Advice Please
Replies: 9
Views: 1753

Re: CAPsMAN Setup Advice Please

No, remove this address from ether1 and assign to bridge. Bridge is the master interface for included interfaces (ether1). In configuration You should use master interfaces, not slaves.
by karlisi
Thu May 11, 2017 1:28 pm
Forum: Wireless Networking
Topic: CAPsMAN Setup Advice Please
Replies: 9
Views: 1753

Re: CAPsMAN Setup Advice Please

Also LAN side IP address should be assigned to bridge and DHCP server should give addresses to bridge not to ether1.
by karlisi
Thu May 11, 2017 10:01 am
Forum: General
Topic: Policy-based routing with dual WAN - Mikrotik update fails
Replies: 5
Views: 2065

Re: Policy-based routing with dual WAN - Mikrotik update fails

Are configured DNS servers accessible trough both WAN interfaces?
by karlisi
Mon May 08, 2017 10:59 am
Forum: General
Topic: RDP Problem behind Mikrotik
Replies: 4
Views: 2680

Re: RDP Problem behind Mikrotik

Are You using default RDP port 3389 on server 192.168.1.252 when connecting from inside network and want to connect to port 4001 from outside? If so, rule should be
chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=3389 
      protocol=tcp dst-port=4001
by karlisi
Thu Feb 16, 2017 10:09 am
Forum: General
Topic: SFP Interfaces
Replies: 3
Views: 1240

Re: SFP Interfaces

You should use similar SFP modules on both ends of optical link. These modules are very different, S+85DLC03D is 10Gbps 850nm multi mode, S-31DLC20D is 1.25Gbps 1310nm single mode.
by karlisi
Wed Feb 15, 2017 4:28 pm
Forum: Beginner Basics
Topic: Scheduling a script whose content is in the scripts/ directory
Replies: 5
Views: 2964

Re: Scheduling a script whose content is in the scripts/ directory

AFAIK .rsc scripts are for configuration tasks only. If you need run script on regular basis, make new script under /system scripts, then schedule it with /system schedule as Chris wrote. More about scripting in RouterOS see in Wiki http://wiki.mikrotik.com/wiki/Manual:Scripting http://wiki.mikrotik...
by karlisi
Wed Feb 15, 2017 9:31 am
Forum: Scripting
Topic: Synch Address-lists with Master Router
Replies: 4
Views: 1190

Re: Synch Address-lists with Master Router

There is topic on this forum about blacklisting, You can use this or use it for Your own solution
Blacklist Filter update script
by karlisi
Tue Feb 14, 2017 2:14 pm
Forum: General
Topic: Access local servers on same subnet.
Replies: 6
Views: 900

Re: Access local servers on same subnet.

Perhaps not Mikrotik problem. Connect to servers directly without router and check if it works.
by karlisi
Fri Feb 03, 2017 9:41 am
Forum: Announcements
Topic: Winbox 3.10 released!
Replies: 70
Views: 46398

Re: Winbox 3.10 released!

Winbox 3.x is OK, only one problem which I have is - durig upload file (for example new Router OS) is not posible working in active window.
After file is uploaded, then is possible working.
In winbox 2.2.18 this works. Can you fix it?
+1
This is very annoying on slow connections.
by karlisi
Fri Jan 20, 2017 8:32 am
Forum: General
Topic: RB2011uias-RM Redundant Power Supply with Internal PSU and external PSU
Replies: 9
Views: 2323

Re: RB2011uias-RM Redundant Power Supply with Internal PSU and external PSU

It is possible to use two power sources, though it is not supported by manufacturer, of course. Connect both power sources trough diodes like 1N4002 - 1N4007. Anodes to power sources, cathodes connected together and to external power input of RB. Disclaimer: I am not responsible if You damage someth...
by karlisi
Thu Dec 22, 2016 8:17 am
Forum: Beginner Basics
Topic: Configuring TR-069 CWMP
Replies: 1
Views: 1260

Re: Configuring TR-069 CWMP

It's added in 6.38rc24 (2016-Nov-03 13:01):
!) tr069-client - initial implementation (as separate package);
by karlisi
Tue Dec 13, 2016 8:50 am
Forum: General
Topic: Help. both LAN and WLAN must have internet connection.
Replies: 4
Views: 749

Re: Help. both LAN and WLAN must have internet connection.

Your interface WAN2 have no IP address assigned.
by karlisi
Tue Nov 22, 2016 9:31 am
Forum: Beginner Basics
Topic: help
Replies: 1
Views: 479

Re: help

At first read tthe documentation http://wiki.mikrotik.com/wiki/Manual:RouterOS_FAQ I have a rb951g-2hnd router, I want to have two wan, does it work? Yes I want to use it as an antivirus, does it work? No I want to back up the network, does it work? ??? Please explain what You mean by this I want to...
by karlisi
Mon Nov 21, 2016 4:45 pm
Forum: Beginner Basics
Topic: How To Stop Attack to Server And Control User internet Usage
Replies: 8
Views: 3595

Re: How To Stop Attack to Server And Control User internet Usage

Make sure in server network settings there are only internal DNS server IP addresses. AD DC should not know about any external DNS servers. To access Internet resources there should be forwarders configured on DNS server.
by karlisi
Wed Nov 09, 2016 2:36 pm
Forum: Beginner Basics
Topic: Multi WAN on same Gateway
Replies: 3
Views: 889

Re: Multi WAN on same Gateway

Plese post Your configuration export /ip firewall nat
by karlisi
Wed Nov 09, 2016 11:16 am
Forum: Beginner Basics
Topic: Multi WAN on same Gateway
Replies: 3
Views: 889

Re: Multi WAN on same Gateway

Try this add action=src-nat chain=srcnat out-interface=WAN1 src-address=192.168.1.0/24 \ to-addresses=10.0.0.1 add action=src-nat chain=srcnat out-interface=WAN2 src-address=192.168.2.0/24 \ to-addresses=10.0.0.2 add action=src-nat chain=srcnat out-interface=WAN3 src-address=192.168.3.0/24 \ to-addr...
by karlisi
Wed Nov 09, 2016 10:59 am
Forum: Beginner Basics
Topic: CAPsMAN begginer
Replies: 2
Views: 739

Re: CAPsMAN begginer

In CAPsMAN leave channel not configured, APs will choose channels automatically.
by karlisi
Wed Nov 02, 2016 9:33 am
Forum: Announcements
Topic: v6.36.4 [bugfix] is released!
Replies: 51
Views: 18898

Re: v6.36.4 [bugfix] is released!

Thanks for the link, it is really useful. But as I said before: I don't care about many changes let's say in 6.35.4 which are fixing 6.35.3 bugs, I just need to see summary of changes from 6.34.6 to 6.36.4.
Agree to this. Consolidated changelog for bugfix versions would be very useful.
by karlisi
Fri Oct 28, 2016 9:27 am
Forum: Announcements
Topic: v6.36.4 [bugfix] is released!
Replies: 51
Views: 18898

Re: v6.36.4 [bugfix] is released!

The same. On some devices upgrade to newest bugfix is available, on some not, regardless of currently installed version or processor type.
by karlisi
Wed Oct 26, 2016 2:11 pm
Forum: Virtualization
Topic: CHR on bare metal
Replies: 13
Views: 4328

Re: CHR on bare metal

A single licensing scheme would be nice. Something to the effect of this: You purchase X number of licenses, which are tracked through a support portal. When you install an instance of ROS (virtual or bare metal), you input a key obtained from the support portal that is linked to your account. The ...
by karlisi
Tue Oct 18, 2016 10:57 am
Forum: Wireless Networking
Topic: mikrotik access point / controlling on the time of wireless authentication
Replies: 20
Views: 4657

Re: post to the support of the mikrotik

Try this
/interface wireless access-list
add interface=wlan1 mac-address=00:23:4D:76:8F:F5
add interface=wlan1 mac-address=00:23:4D:76:8F:F5 time=8h-20h,sun,mon,tue,wed,thu,fri,sat \
    vlan-mode=no-tag
by karlisi
Mon Oct 03, 2016 9:49 am
Forum: Wireless Networking
Topic: Capsman Host cannot see host
Replies: 1
Views: 596

Re: Capsman Host cannot see host

Enable client to client forwarding in Capsman datapath.
by karlisi
Wed Sep 28, 2016 4:55 pm
Forum: Forwarding Protocols
Topic: Mikrotik SMTP Traffic block except mail server
Replies: 3
Views: 1565

Re: Mikrotik SMTP Traffic block except mail server

It should work. Post Your firewall rules here.
by karlisi
Wed Sep 28, 2016 2:46 pm
Forum: Forwarding Protocols
Topic: Mikrotik SMTP Traffic block except mail server
Replies: 3
Views: 1565

Re: Mikrotik SMTP Traffic block except mail server

chain=forward protocol=tcp src-address=172.16.5.5 dst-port=25 action=accept
chain=forward protocol=tcp src-address=172.16.5.0/24 dst-port=25 action=drop
by karlisi
Thu Sep 22, 2016 9:54 am
Forum: Beginner Basics
Topic: Upgrade Firmware for Mikrotik Router
Replies: 2
Views: 866

Re: Upgrade Firmware for Mikrotik Router

AFAIK no impact on configuration. All my CCR1009 running 2.37 firmware without problems.
by karlisi
Mon Sep 19, 2016 10:01 am
Forum: Beginner Basics
Topic: help needed IP phone VLAN
Replies: 13
Views: 2136

Re: help needed IP phone VLAN

Have You srcnatted bridgetel? It is separate interface, check firewall rules for it. In general they should be the same as for bridge-local.
by karlisi
Mon Sep 12, 2016 9:37 am
Forum: Virtualization
Topic: CHR feature requests
Replies: 59
Views: 14566

Re: CHR feature requests

Support for Citrix XenServer.
by karlisi
Mon Sep 05, 2016 9:23 am
Forum: Wireless Networking
Topic: Upgrading APs in CAPsMAN configuration
Replies: 1
Views: 1245

Re: Upgrading APs in CAPsMAN configuration

If You can connect via Winbox, upgrade using it (download from Mikrotik site to workstation, copy/paste to Winbox -> Files, then reboot router).
  • 1
  • 2