MikroTik

karlisi

Broadcast storm perhaps? Ethernet loop or faulty network device?

karlisi

IMHO CCR1009, 1016, 1036 and 1072 series all share the same board and all have the same problem - bad 680uFx6.3V capacitors, C1442, C143, C1613, C1617. First clue if they are failing is higher CPU temperature and slightly lowered voltage. We are replacing all 4 caps, not only bulged.

karlisi

However, it's even the other way around: ROS regulates fan speed (and thus air flow) according to temperature of CPU (and port area). But indirectly this also affects cooling of CPU (part of air does flow through PSU) and keeping fan speed low means higher temperature inside PSU. This will not work...

karlisi

@Maggiore81 IMHO, that's not the case, with switch between router and client speed is OK

@pocci Have you tried to set 1Gbps for ether6 manually? Server has 2.5Gbit interface, it could be a problem for Mikrotik

karlisi

IMHO below -80 most of disconnection are caused by signal loss, not by access rules

karlisi

Quick search in this forum:
viewtopic.php?t=141603
viewtopic.php?t=172132

karlisi

Post configuration export.
If you don't know how, read this viewtopic.php?t=203686#p1051720

karlisi

Or in short:

:local senha;
:local ds [/system clock get date]
:local mm [:pick $date 5 7];

:set  senha ( "user*" . $mm * [:pick $ds 8 10])

/ip hotspot user set "user" password=$senha

karlisi

So, for all of us, it would be interesting to hear, which directions Mikrotik will go.

karlisi

Default masquerade rule catches all, so nothing will go to next srcnat rules. Perhaps these srcnat rules are not needed, only dstnat rules?

karlisi

So the POE device doesn't actually do POE. Thanks for the verification. I'll return it to Amazon and buy a new router from a company that doesn't lie to its customers. Perhaps next time read description before buy. Quote from https://mikrotik.com/product/RB960PGS It also supports passive PoE input ...

karlisi

It's the same DIN rail.
In fact, there is. LtAP mini https://mikrotik.com/product/ltap_mini with DIN rail mounting bracket https://mikrotik.com/product/dinrail_pro

karlisi

Remove ether1 from bridge local?
Without configuration export this is the only guess.
/export file=anyfilename hide-sensitive
Remove from exported config public IPs, MAC addresses, passwords and other sensitive info, and post here between code tags

karlisi

1.No
2.Save and load multiple interface settings for same device?
3.No idea
4.Perhaps yes
5.Not surprised, but yes, learned something

karlisi

Think what you write, Normis. ROS v.6 is still supported, it means 6.49.11 is up to date.

karlisi

Even worse, OP has hEX S and it's max PoE output is only 500mA.

karlisi

EDIT: the upgrade policy was to suggest the same version, but I couldn't believe this starts auto upgrade without any prompt It always been like that, if you want upgrade manually, set the upgrade policy to 'none'. Policy 'suggest same version' means, caps will try to upgrade to the same version as...

karlisi

It seems You are confused by passive PoE and active PoE. I will oversimplify this, but the main visible difference is in voltage. Hex poe can deliver both but not in same time. With included 24V PSU it delivers passive PoE. For active PoE (I assume your devices needs active PoE) you need 48V PSU. Wh...

karlisi

CCR1009-8G-1S-1S+PC constantly rebooting by thermal protection. Replaced the same as above 4 capacitors 680uF*6.3V, problem solved. About 3 months ago another CCR1009, the same repair.

karlisi

You need TLS Mode = yes

karlisi

The User Manager? Next time choose appropriate section of the Forum.
What RouterOS version? Wireless package is enabled?

karlisi

If regex is OK, there should be something else outside of routing or static dns. My regex is similar to this

add forward-to=192.168.10.16 regexp=".*\\.internal\\.mydomain\\.org\$" type=FWD

karlisi

Do you have public IP on router's WAN interface?

karlisi

Weird thing still is how it works with the old router with the block rule in place.. Windows network profile is the same with old and new router? If Windows computer is connected directly to router, it detects hardware change and can change network profile, even if new router is configured exactly ...

karlisi

You can set passtrough interface for APN in use. It's under interfaces -> LTE -> LTE APNs. Remove that interface from default bridge before setting it as passtrough. You can lose access to router if set bridge as passtrough interface.

karlisi

all works thanks guys

The most hated reply in all technical forums

karlisi

Add this rule, typically DNS uses UDP: add action=accept chain=input comment="Allow router to access DNS" dst-port=53 protocol=tcp add action=accept chain=input comment="Allow router to access DNS" dst-port=53 protocol=udp And this rule does nothing because you already dropped al...

karlisi

I suspect camera will not work, at least I've not seen af/at only cameras working on passive poe. To answer, if you can connect camera to passive poe port for testing, I have done it without bad consequences, but take it on your risk of course.

karlisi

Perhaps start with default configuration and learn how it works. First you should remember, all rules are evaluated in sequence as they are ordered. As short example, here second rule will not work at all because previous rule already blocks all packets from ether1. add action=drop chain=input comme...

karlisi

BTW, there is no vacancy for President, only for Prime Minister (Ministru prezidents) in Latvia.

karlisi

Yes, You can. Voltages must match, in this case both are 24V. Amperage should be equal or more. In general, amperage indicates maximum current you can draw from PSU.

karlisi

karlisi

I tried it, and it didn't work. The counter for this rule stays at 0, so apparently no packet matching the rule is ever received by the firewall. It was my understanding that this should have been done already by the existing "masquerade" rule, Be sure masquerade is the last in srcnat cha...

karlisi

Passive PoE is not compatible with 802.3af/at

karlisi

Who knows, but there is ROS 7.10 for Tile architecture, so I hope it will be supported some time.

karlisi

So your dst-nat works. Check if there is response from 192.168.10.10. And it would be better if we can see all configuration, perhaps something was altered by configuration transfer and adaptation process.

karlisi

Wait, so this behaviour could be an anti virus scanning the network?

Yes. The same experience from other Mikrotik user viewtopic.php?p=988766&#p988766

karlisi

You can take the idea from here https://help.mikrotik.com/docs/display/ ... itbye-mail

karlisi

Hap ac2 reset button has no CAP mode, as per user manual. Instead you should log in similar to your master router, click on Quick Set, then choose CAP, adjust settings if needed, and save settings.

karlisi

Your router is completely unprotected. I suggest to apply default firewall rules first, then add your customizations.
Edit: OK, Jotne already wrote about it.

karlisi

This rule blocks all traffic to 92.92.92.92./28 subnet, including replies to tcp requests originating from this subnet add action=drop chain=forward comment=Block-All-TCP-PORTS dst-address=92.92.92.92/28 \ in-interface=ether1 log=yes protocol=tcp You should allow replies to outgoing requests to esta...

karlisi

What if you add this as first rule in forward chain?

/ip firewall filter
add action=accept chain=forward connection-state=\
    established,related,untracked

karlisi

The router of my example would be a Mikrotik Routerboard Hex RB750GR3 and unfortunately I didn't find an option to edit the title of this post to add this information. In the link @karlisi gave it says "IP connectivity on the public interface must be limited in the firewall." so I underst...

karlisi

Now I'm going to get the popcorn and wait for when the others read... rextended is teasing You, sorry :D If You expect useful answer, post some more information, router model at least (from your description we can only guess this is no low end home router), or config export. Also, perhaps read http...

karlisi

I suppose, there is more configuration, especially on server side. Because you don't posted it, this can be only guess, but perhaps there is no ipsec-esp (50) protocol allowed in input chain of server's firewall?

karlisi

PC2 should resolve AD domain name via DNS to join domain. It is easier if all traffic from PC2 to Internet goes trough VPN, in this case use AD DNS in PC2 network settings. If not, you can use static DNS entries in Mikrotik to forward DNS queries for AD domain to specific servers.

karlisi

Finally someone has found a Grandstream product that works!!!

He, he

karlisi

studies have found that brute-forcing PPTP encryption has become almost trivially simple. At Defcon 2012, hacking group CloudCracker showed that MS-CHAPv2 (the updated CHAP for PPTP) could easily be gamed. There is no need to employ an array of powerful computers, and the process doesn’t take long. ...

karlisi

Perhaps some ideas from here?
https://blog.zabbix.com/monitoring-netw ... bix/10093/#

karlisi

It is possible to set static DNS entries on remote routers, like this https://askto.pro/question/setting-up-a-redirect-in-mikrotik To avoid problems if one of AD DNS servers goes offline, use script to check servers availability and to disable or enable corresponding entry in static DNS table, and r...

karlisi

We have Dude for fast overview, what's working, what's not, and for some Mikrotik management, Zabbix for graphing and alerting, and Graylog (based on Elastic) for logging. We wanted all in one also in beginning, but after some time we realized why there are so much specialized tools available :) All...

karlisi

karlisi

Normally USB hub has 1 input which goes to the router in your case and does not provide power to it, and some outputs where power is provided from hub's power adapter

karlisi

But I doubt that is the problem, error message is different. Perhaps this
viewtopic.php?t=149863

karlisi

Don't uninstall that update, it will be installed again. Just install another one to patch exactly this problem
https://www.catalog.update.microsoft.co ... =KB5010793
On some computers this appears under optional updates, if not, download it manually.

karlisi

This should work

/ip firewall filter remove [find dynamic=no]

karlisi

It seems something wrong with your AD configuration. First fix that. First, it is recommended to use Windows DHCP server in Windows AD network. If you are using third party DHCP, i.e. Mikrotik, you should specify internal DNS servers to clients, not Mikrotik or another third-party DNS. The commonly ...

karlisi

Is your router's Internet side connected to bridge1?

karlisi

Zabbix is an enterprise-class open source distributed monitoring solution. Zabbix is free of cost. Zabbix is written and distributed under the GPL General Public License version 2. It means that its source code is freely distributed and available for the general public. Commercial support is availab...

karlisi

i don't want to offend anyone, but i don't really understand the "Dark-Mode" hype !

Agree

karlisi

I dont see the problem.
First 6.41.4 is very old, so some one has missed out many many version.

You are right about this, only partially. In such case changelog should start with "warning, if you upgrade from versions older than..."

karlisi

This fix helps for Windows Server 2016, but perhaps it helps for 2012 too: Here’s a fix so that you don’t have to explicitly select allow for all users that you want to connect. Under NPS configuration in Windows Server 2016: Under Policies > Network Policies > Virtual Private Network (VPN) Connecti...

karlisi

Start new thread, this was marked as solved, noone will look here

karlisi

I believe it's typo, there should be 'add action=allow' Oh just noticed since you do use port forwarding, you will need one additional allow rule in your ADMIN rules for the forward chain and it looks like this... add action=drop chain=forward comment="allow port forwarding" connection-nat...

karlisi

Modify nat rule to this (assuming your bridge is called LAN)

/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.0.67 src-address=192.168.0.0/24 out-interface=LAN comment="http from LAN"

karlisi

Last rule drops everything coming to WAN trough router, it's like one way street. BTW, what's the purpose of this rule?

karlisi

When a Mikrotik CHR ( with the license ) is moved to another location on the hypervisor or to another hypervisor ( either manually or by automatically ) the new spun-up CHR will no longer retain the original license. I recently moved CHR from Xenserver host to xcp-ng pool (migrate, not copy), it re...

karlisi

viewtopic.php?t=137338

karlisi

Post configuration (i.e. example) or it didn't happen. No time to search exact sample, but in stable channel changelogs these 'fixed (or reverting) something, introduced in some previous release' occurs quite often. Why I should trace down all these introduced-fixed-removed I don't understand but M...

karlisi

I think MikroTik should put all changelog items in a database keyed with version number where they are added and version number where they become superseded, and then provide a webpage where you can enter two version numbers and get a customized changelog between those two versions. Channel (stable...

karlisi

Post configuration (i.e. example) or it didn't happen. No time to search exact sample, but in stable channel changelogs these 'fixed (or reverting) something, introduced in some previous release' occurs quite often. Why I should trace down all these introduced-fixed-removed I don't understand but M...

karlisi

Especially since even the changelog references a non-existing long-term release in relation to changes from v6.48.4 and not the actual predecessor v6.47.10 . https://mikrotik.com/download/changelogs/long-term-release-tree So lets see how the actual release notes for long-term v6.48.5 upgrade from v...

karlisi

Network problems can cause this error too. I had bad network cable between AP and switch, time to time there was this DHCP error for clients on this AP.

karlisi · Re: cap capsman factory reset What if factory version is newer than 6.42.10?

What if factory version is newer than 6.42.10?

karlisi

Or move Windows button to top, where it resides in other Windows software. Just on right of session or between it and Safe Mode button

karlisi

https://www.abuseipdb.com/check/216.218.206.106
You can create blacklist, put it in (and perhaps another abusers later), and drop all connections from blacklist in ip firewall raw prerouting chain

karlisi

Yes, it should work as you described.

karlisi

Default configuration would be good starting point

karlisi

You can't. I guess clients are Windows, and Windows VPN connection by default uses VPN server as default gateway. Either instruct your clients to disable remote gateway in VPN settings, or make a script to do this (perhaps someone can help with this) and send it to clients.

karlisi

It's self explanatory: drop all not coming from LAN. PPPoE interface is not LAN. Allow 53/udp from appropriate interfaces exactly before this drop-all rule. And be sure to not allow DNS from entire world.

karlisi

However the connection speed test is around 16Mbps (If connected directly to home router 2.4 GHz it's ~83 Mbps).
How can I investigate this ?

Check speed from cable AP end, to be sure there is no fancy config in router.

karlisi

Quick search with G resulted in: Max power consumption without attachments 20W https://mikrotik.com/product/RB1100AH The device supports 110-220V at the built in PSU, and 12-24V when powering directly to the board and not using the provided case/PSU. https://i.mt.lv/cdn/product_files/rb1100AHmA_1305...

karlisi

It's not clear why this rule (and similar in input chain): add action=add-src-to-address-list address-list=BlcokConnections address-list-timeout=none-dynamic chain=forward This rule adds every new connection to 'BlcokConnections' list. Every means, both directions - WAN to LAN and LAN to WAN. That's...

karlisi

I suppose you dst-natted to port 443 without specifying in-interface, there should be your WAN interface

karlisi

The order of rules matters. Hairpin NAT rules (2. and 3.) should be before src nat all LAN rule (1.).

karlisi

+1
White color fits most of interiors

karlisi

You are correct in all explanations.
2nd is related to 3rd, hairpin NAT, needed if clients should connect server in same subnet, using public IP.
https://help.mikrotik.com/docs/display/ ... HairpinNAT
3rd and 4th are almost the same, 4th rule restricts access only from src-address

karlisi

You have wrong gw here, I believe /ip dhcp-server network add address=192.168.188.0/24 comment=pinet gateway=192.168.88.1 netmask=24 should be 192.168.188.1 Not related to connection problems, but last 2 drop rules in forward chain are not needed, the previous rule already dropping all from all inte...

karlisi

yes, because router can't see content inside https

karlisi

viewtopic.php?t=132823

karlisi

curl test from 192.168.60.0/24 or /30 network works?

karlisi

You can use /import file=thenameoftheconfigfile verbose=yes to see where the import stops. After correcting and re-uploading config file, you can restart import with /import file=thenameoftheconfigfile verbose=yes from-line=errorlinenumber

karlisi

Attacker targets router's public address (screened part in log entry), and NAT translates this request to private - 111.7.96.178:36152->10.0.0.1:53, NAT 111.7.96.178:36152->(xx.xxx.xxx.xxx:53->10.0.0.1:53). Attacker don't see internal IP, if request would be answered, it's source IP would be router'...

karlisi

Sometimes you need to run Dude client as administrator to perform upgrade even if you are local administrator on your computer.

karlisi

I had a test CHR on VMware ESXi 6.7 running 7.1beta4 with a quite simple config (1 interface, fixed address, a BGP session) I used System->Packages upgrade to load 7.1beta5 It fails to boot now. On the console it says: Load system WARN: GPT: skip truncate ERROR: could not mount disk! Please attach ...

karlisi

or

remove [find dynamic=no]

karlisi

/log print where message~"AppleWatch"

karlisi

It is in winbox using Terminal.
In GUI no, it isn't possible. If renaming, put the default name in comment, it can help sometimes

karlisi

/interface print detail

to list all interfaces details or

/interface print where default-name=sfp2

to find default name of one interface

karlisi

Upload using Winbox, not the Dude client.

karlisi

Sorry, no idea. On Mikrotik my only error was incorrect src-address in radius settings, there should be router's IP address.

karlisi

What is on Mikrotik?

karlisi

So, Mikrotik is connecting to NPS, but policies not match. The only suggestion is, check all settings thoroughly step by step on both sides, especially on NPS. Or start from scratch.

karlisi

Also many of them are used only once and never appears again.

karlisi

Without RADIUS works? Something in Windows Security Events?

karlisi

Also this link from comments on original article
https://mivilisnet.wordpress.com/2019/0 ... s-working/

karlisi

I used this one, all is working
https://mivilisnet.wordpress.com/2018/1 ... indows-ad/

karlisi

In previous betas it was actually completing but after very long time, like 20m.

Actually without 'verbose' it takes exactly 20min. Very interesting.

karlisi

Not sure what to do with the wiki article. How do I make it work for me, though?

Read, understand and implement. What more do you expect from us if we know nothing about your current config.

karlisi

For version 4 download links are here
https://share.zabbix.com/official-templ ... plate-pack
Use SNMPv2 template. And be patient, I received first data after about 30 min.

karlisi

Use standard 'Network Generic Device SNMP' template (built-in). If needed, download it from https://git.zabbix.com/projects/ZBX/rep ... neric_snmp
Link is for latest Zabbix v.5.2, you can change branch to another if needed.

karlisi

SFP+ module in SFP cage (RB2011) won't work. SFP module in SFP+ cage should.

karlisi

If your clients are using 192.168.0.33 as DNS server and there is no something special in router's configuration, it shouldn't be so. From your description I assume you configured Mikrotik router as DNS server for clients, and 'allow remote requests' along with 192.168.0.33 as DNS server on Mikrotik...

karlisi

https://wiki.mikrotik.com/wiki/Manual:CHR#60-day_trial

karlisi

Interface list LAN is empty? Just guess, You posted only partial configuration.

karlisi

RX Signal

karlisi

This is my DNS in MKT:
1.1.1.2 - 1.0.0.2
MKT is DHCP for LAN 192.168.110.0/24

This is DNS where? In IP -> DHCP server -> Networks? Or in IP -> DNS? If only in first, clients never will use AD DNS for resolution.

karlisi

That article is almost 10 years old, please use current version
https://help.mikrotik.com/docs/display/ ... Protection

karlisi

... CAPs Manager (ARM based hAP ac2 in long-term v6.45.9) and a CAP Slave (MIPSBE mAP Lite 2nD in stable v6.46.6) ... and the upgrade policy to suggest same version. All works as expected, on client there is newer version as on manager, it's why nothing happens. You can do as @mkx suggests, in fact...

karlisi

Read this thread
viewtopic.php?f=2&t=149863

karlisi

Ipsec rules should be before fasttrack rule, to exclude ipsec traffic from fasttrack. And fasttrack should be before accept established, related, untracked to work properly.

karlisi

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge. We already had discussion about that without results https://forum.mikrotik.com/viewtopic.php?f=21&t...

karlisi

RB2011 ROS 6.45.9 (long-term), no problems with NAT rules.

karlisi

Wow, that was fast! Thank you!

karlisi

Or atleast there should be some warning regarding this, when it encounters unsupported (anymore) ROS versions instead of the current unfortunate behaviour. ROS 6.45.9 is supported, this is the latest long-term version. So, while we are waiting for backporting something (we don't know what) from sta...

karlisi

IMHO You shold fix WinBox not ROS ASAP as upgrade to ROS > 6.47 is not always possible

And remove Winbox 3.25 from downloads and upgrade ASAP.

karlisi

Installed on a number of units to notice that the Hotspot Host table is now empty. It appear the Hotspot is still working as clients are able to connect and logon and then appear in the active table. Seen this on all platforms. Also same issue is present in v6.47.2 Is it just me or is anyone else s...

karlisi

CCR2004-1G-12S+2XS https://mikrotik.com/product/ccr2004_1g_12s_2xs I have deployed similar medium sized systems using RB4011 and CRS328's. The RB4011 is connected by SFP+ and handles all the CAPSMAN traffic in non-local-forward mode. The benefit of this is all the radios are ports on one common bri...

karlisi

You can say that this version has a killer feature. Open CAPsMAN, click on "Radio" tab and watch all your CAPs disconnect. Also keeping that tab open will not let any CAP connect back. "failed to connect, timeout". LE: they do come back eventualy but nothing shows up on the Radi...

karlisi

CCR2004-1G-12S+2XS
https://mikrotik.com/product/ccr2004_1g_12s_2xs

karlisi

And don't compare router with phone, they are using different frequencies, so there can be different load on tower. Would be interesting to see the same RSRP, RSRQ and SINR from Huawei router.

karlisi

How are your signal levels (RSRP, RSRQ, etc.)

Regards.
RSRP: -106 dBm
RsRQ: -13.0 dB
SINR 7dB ( changing in limits from 5 to 10 )

Very poor signal, according to this
https://wiki.teltonika-networks.com/vie ... _.28LTE.29

karlisi

You want to restrict access from bridge-public to bridge by this rule? add action=src-nat chain=srcnat dst-address=!192.168.88.0/24 \ out-interface-list=WAN src-address=10.0.0.0/22 to-addresses=\ 192.168.88.250 IMHO, this will not work, requests to 192.168.88.0/24 misses this rule and will be routed...

karlisi

Yes, RB711-5HnD comes with L4 (AP) license.
https://mikrotik.com/product/RB711GA-5HnD

karlisi

And yes, you should remove unwanted MAC addresses from exported configuration.

karlisi

You can use 'verbose' switch on import, sometimes output to screen helps to spot the problem, because you will see exactly where the script stops. And there is another one useful switch 'from-line' which you can use to continue import after correcting errors.

karlisi

Last row says: 19:48, 21 May 2008 (EEST)
I believe most of it is obsolete. As said before, the default ruleset is the best starting point.

karlisi

So you haven't public IP address, this IP is from LMT internal network for clients, which is behind some NAT. Because they haven't dst-nat from real public IP to your router's external LTE interface, you can't establish VNC connection. You should ask LMT for real public IP. It can be dynamic, you ca...

karlisi

Do you have public IP address on LTE interface? Or from 10.0.0.0/8 network (smth like 10.44.28.53)?

karlisi

Sure, it shouldn't work. You have no incoming firewall rules for VPN, no L2TP profiles and secrets defined, only enabled L2TP server. That's why I linked wiki and one of the many step-by-steps found by Google.

karlisi

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
https://blog.ligos.net/2019-10-27/L2TP- ... rotik.html

karlisi

System: hAP Ac. Os. 6.47.1. I Have only added a few rules to the default firewall rules. Do i Need to add anything else to make my hAp Ac secure? My configuration is as given below. /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interf...

karlisi

On first test problem was not resolved, but we will test it more thoroughly this week.

karlisi

"Server DNS Names" field is for FQDN of NTP servers.

karlisi

You don't need a script. Simply write in scheduler field 'On Event' /system reboot

karlisi

https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Tools

karlisi

You should edit path to Winbox in Dude client to actual Winbox location
https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Tools

karlisi

If you are speaking about CHR, you can use free version without registration, the only restriction is -

The free license level allows CHR to run indefinitely. It is limited to 1Mbps upload per interface.

https://wiki.mikrotik.com/wiki/Manual:CHR#free

karlisi

Before the dude can watching all server or devices... likes windows os, linux os, HP switch or cisco routeur etc... not now is watch only MikroTik ? No, you can monitor everything as before. The only difference is, now Dude server can run on RouterOS only. It can be Mikrotik device or CHR virtual m...

karlisi

Mikrotik, where Dude server part is installed.

karlisi

For rsc file, use /import instead of /system backup. Nothing changed in terms of backup and export usage, you should not use backup to restore it on another machine, even if it works.

karlisi

If this is all your firewall and if you disable last drop rule, your forward chain is fully open. BTW, last drop rule seems wrong, it drops all not-dstnatted connections coming from any interface, typically you want to drop this only from WAN.

karlisi

You can use configuration export not the backup. It is recommended to edit exported configuration, there can be i.e. some MAC addresses You don't want to transfer to new router.

karlisi

I doubt your gateway works as NTP server. Set ntp server DNS name to pool.ntp.org

karlisi

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning. Anyone else seeing this? Yes, the same here Just tried it on several routers, but only see this behavior on a single device. A differentiating factor appears to be the number of records kept in the log. ...

karlisi

Hello

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning.
Anyone else seeing this?

Regards

Yes, the same here

karlisi

Quick answer is - yes, if you use second IP for webserver, you don't need hairpin-nat. And you don't need the internal DNS server point to DMZ IP, point it to external IP. Be sure to not use default masquerade, use src-nat to appropriate extarnal IPs instead.

karlisi

Read this
viewtopic.php?f=2&t=149863#p738129
or this (although article is about Windows Vista, it applies to newer Windows versions too)
https://support.microsoft.com/en-us/hel ... in-windows

karlisi

I supposed OP has static public IP, because

i access my web server from internet all thing work fine

karlisi

Did you read that at all? Look in /ip firewall nat If you have default config, you already have this add chain=srcnat out-interface=WAN action=masquerade If you can access your webserver from outside of LAN, add this and all should work add chain=dstnat dst-address=<your-public-ip-address-here> prot...

karlisi

It seems You need hairpin NAT
https://wiki.mikrotik.com/wiki/Hairpin_NAT

karlisi

Read this topic
viewtopic.php?f=2&t=149863

karlisi

I'm not really sure if the RB1100 is in the "default settings are completely empty" category (like the CCR)...

Yes it is completely empty.

karlisi

I have Dude 6.46.4 and many RBs 6.44.6, and they all are talking with Dude.

karlisi

You don't need all UDP rules and all input chain rules. And the last 2 dst-nat rules too.
Try to add this (if you have default firewall ruleset you don't need it)

/ip firewall filter
add action=accept chain=frorward dst-port=1723 protocol=tcp

karlisi

I suspect there is much more problems if this resistor, in fact simple wire, is blown. Search for shorts somewhere after this resistor.

karlisi

https://wiki.mikrotik.com/wiki/Hairpin_NAT

karlisi

About other firewall rules. Rule #11 is unneeded because rule #21 already does that 11 ;;; Allow portforward chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1_UPLINK 21 ;;; drop all from WAN not DSTNATed chain=forward action=drop connection-state=new co...

karlisi

At the end of this journey, nothing known should reach the last rule on the firewall (chain=input action=drop log=yes). This log will (in distant future) be sent to a central logging service with alerts attached to it. Not exactly. These SYN packets are dropped in input chain, they are coming to ro...

karlisi

Long term: Released rarely, and includes only the most important fixes, upgrades within one number branch not add new features.
https://wiki.mikrotik.com/wiki/Manual:U ... _numbering

karlisi

First solution not usable only for clients which all are behind one NAT.

karlisi

Read this, it works very well https://forum.mikrotik.com/viewtopic.php?f=2&t=149863#p738129 Another solution is to modify Windows client registry: http://woshub.com/l2tp-ipsec-vpn-server-behind/ Original MS article about this solution (works also on latest Windows versions) https://support.micro...

karlisi

P.S. All the "verification is a useless step", "we know better" answers are really ābols-style and it's sad to see that MikroTik has started going in this direction (a direction that is not very appreciated by IT people who might be a very notable share of current MikroTik users...

karlisi

What to do, if I want to cancel upgrade? - Use "/system package update cancel" feature What to do if I do not realize there is an upgrade present that needs to be cancelled, because I can't see it, and therefore fail to cancel it? Use /system package update print to check, this is what th...

karlisi

Regarding verification of packages after download, this is of course about actually seeing the file in /file. That is not the same as doing a hash check or something, but that is not what this is about IMHO half of complaints would be eliminated, if there would be text in File window status bar, li...

karlisi

It depends. Using switch alone - no.

karlisi

This is one fiber module, there is nothing to reverse, unlike in modules with separate tx and rx fibers.

karlisi

3) If actual upgrade at reboot fails (due to missing packages or whatever), how does the admin know what packages are leftover in Files, and how does he remove them if Files is going to pretend to him that they don't exist? There will be no leftovers, on reboot they delete all npk files in file roo...

karlisi

Can anyone post reasonable reason why it's important? Because such changes (non-cosmetic, without clear reason) are introduced without warning. BTW there is unmet side effect. Usually after ROS upgrade I uploaded additional packages to CAPsMAN for another platforms, to remote upgrade CAPs, storing ...

karlisi

System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle. Please undo this change, it serves no useful purpose and has many disadvantages. Please revert this change. +++ I totally agree with pe1chl , macsrwe and r00t . Please revert...

karlisi

IGMP Snooping is already off.

karlisi

For now, try to disable the Flow Control for all interfaces under the "Link" menu in SwOS. Also, try to verify that other devices connected to the switch are not using any Flow Control settings. Keep an eye for any counters on the "Errors" menu. Let us know whether the switch st...

karlisi

This just happened to my CSS326-24G-2S+ running 2.10. It started balking after 17 days of uptime. Pings were fine, but any serious traffic would hang after a packet or two. Wow, it seems I'm not alone. My problem though is a little bit specific. There is no problem with wired clients, but if I conn...

karlisi

Have you read this?
viewtopic.php?f=2&t=111727

karlisi

It's an old and very clever rule for every software - never put in production new release before first bugfix subrelease, so in this case wait for 6.46.1 at least.

karlisi

I added: /ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment="Allow IN PPTP/TCP1723" disabled=no /ip firewall filter add chain=output protocol=tcp dst-port=1723 action=accept comment="Allow OUT PPTP/TCP1723" disabled=no /ip firewall filter add ch...

karlisi

Seems like bug in /export, some versions back interface export was clean.

karlisi

Pay attention if there are no other architecture package uploaded on the device! And this is really annoying. Some time ago it was possible to upload to CAPsMAN device packages for device itself and for CAPs and upgrade entire network by one reboot. Now I should first upgrade manager, then CAPs. So...

karlisi

On Windows client it can be done manually, using Powershell or GUI.
http://eyonic.blogspot.com/2016/06/how- ... ng-in.html

karlisi

Router 1 should know where to send replies.

karlisi

My public IP is dynamic It's OK with dst-nat rules. You don't need 554/tcp or 8000/udp for iVMS application. How do you connect to external address? From inside the LAN? If so, you need additional hairpin-nat rule. I do not connect to an external address. Do you mean to my public IP? I connect it f...

karlisi

It's OK with dst-nat rules. You don't need 554/tcp or 8000/udp for iVMS application.
How do you connect to external address? From inside the LAN? If so, you need additional hairpin-nat rule.

karlisi

PoE-Out LEDs Models with dependant voltage output PoE-Out LED behaviour can differ between models, but most of them will indicate PoE-Out state on one additional LED. Devices with one voltage output will light: Red colour LED - PoE-Out port state is powered-on (auto or forced-on mode). Blinking Red ...

karlisi

I suspect security holes in configuration. Post '/export hide-sensitive' here, perhaps we will see something in it.

karlisi

Without details there is not much to recommend. https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter). Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded...

karlisi

What's new in v3.20: 1) Does the program Winbox use encryption to connect to hardware device? 2) Сan I use Winbox without fear in adverse networks? 3) Is there any protection in the connection from the Man in the middle (MITM) attack? From Winbox v3.14, the following security features are used: Win...

karlisi

Try this add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=443 protocol=tcp \ to-addresses=193.0.8.248 to-ports=443 add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=25 protocol=tcp \ to-addresses=193.0.8.248 to-ports=25 add action=dst-nat chain=dstnat dst-address=192.1...

karlisi

IMHO, no, you need both, hostname and domain name.
Something about this problem here
https://superuser.com/questions/1211416 ... be-ignored

karlisi

I am using ESET Endpoint Antivirus and have no problems with Mikrotik forum.

karlisi

L2tp/IPSec client on Windows can work withour registry mod. NAT device in this case is whatever you want, all magic is made on Mikrotik VPN server
viewtopic.php?f=2&t=149863#p738129

Search found 445 matches