Community discussions

MikroTik App

Search found 379 matches

  • 1
  • 2
by karlisi
Mon Oct 11, 2021 11:36 am
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 87
Views: 15927

Re: v6.48.5 [long-term] is released!

Post configuration (i.e. example) or it didn't happen. No time to search exact sample, but in stable channel changelogs these 'fixed (or reverting) something, introduced in some previous release' occurs quite often. Why I should trace down all these introduced-fixed-removed I don't understand but M...
by karlisi
Mon Oct 11, 2021 11:33 am
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 87
Views: 15927

Re: v6.48.5 [long-term] is released!

I think MikroTik should put all changelog items in a database keyed with version number where they are added and version number where they become superseded, and then provide a webpage where you can enter two version numbers and get a customized changelog between those two versions. Channel (stable...
by karlisi
Mon Oct 11, 2021 11:31 am
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 87
Views: 15927

Re: v6.48.5 [long-term] is released!

Post configuration (i.e. example) or it didn't happen. No time to search exact sample, but in stable channel changelogs these 'fixed (or reverting) something, introduced in some previous release' occurs quite often. Why I should trace down all these introduced-fixed-removed I don't understand but M...
by karlisi
Mon Oct 11, 2021 10:18 am
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 87
Views: 15927

Re: v6.48.5 [long-term] is released!

Especially since even the changelog references a non-existing long-term release in relation to changes from v6.48.4 and not the actual predecessor v6.47.10 . https://mikrotik.com/download/changelogs/long-term-release-tree So lets see how the actual release notes for long-term v6.48.5 upgrade from v...
by karlisi
Wed Sep 29, 2021 9:07 am
Forum: General
Topic: ROS 6.38 serious DHCP server problem
Replies: 126
Views: 52235

Re: ROS 6.38 serious DHCP server problem

Network problems can cause this error too. I had bad network cable between AP and switch, time to time there was this DHCP error for clients on this AP.
by karlisi
Fri Sep 24, 2021 10:23 am
Forum: General
Topic: cap capsman factory reset
Replies: 4
Views: 460

Re: cap capsman factory reset

What if factory version is newer than 6.42.10?
by karlisi
Fri Aug 27, 2021 10:52 am
Forum: Announcements
Topic: WinBox v3.29 released!
Replies: 114
Views: 12543

Re: WinBox v3.29 released!

Or move Windows button to top, where it resides in other Windows software. Just on right of session or between it and Safe Mode button
by karlisi
Wed Aug 18, 2021 1:02 pm
Forum: Beginner Basics
Topic: Failed IPSEC connection every morning from 216.218.206.106 [SOLVED]
Replies: 2
Views: 492

Re: Failed IPSEC connection every morning from 216.218.206.106 [SOLVED]

https://www.abuseipdb.com/check/216.218.206.106
You can create blacklist, put it in (and perhaps another abusers later), and drop all connections from blacklist in ip firewall raw prerouting chain
by karlisi
Thu Aug 05, 2021 5:01 pm
Forum: General
Topic: Router config
Replies: 8
Views: 787

Re: Router config

Yes, it should work as you described.
by karlisi
Thu Aug 05, 2021 10:37 am
Forum: General
Topic: Router config
Replies: 8
Views: 787

Re: Router config

Default configuration would be good starting point
by karlisi
Tue Jul 20, 2021 9:18 am
Forum: Beginner Basics
Topic: L2tp vpn problem
Replies: 6
Views: 759

Re: L2tp vpn problem

You can't. I guess clients are Windows, and Windows VPN connection by default uses VPN server as default gateway. Either instruct your clients to disable remote gateway in VPN settings, or make a script to do this (perhaps someone can help with this) and send it to clients.
by karlisi
Mon Jul 19, 2021 8:56 am
Forum: Beginner Basics
Topic: Allow Remote DNS Requests
Replies: 6
Views: 792

Re: Allow Remote DNS Requests

It's self explanatory: drop all not coming from LAN. PPPoE interface is not LAN. Allow 53/udp from appropriate interfaces exactly before this drop-all rule. And be sure to not allow DNS from entire world.
by karlisi
Wed Jul 07, 2021 11:48 am
Forum: Beginner Basics
Topic: Simple wAP ac setup - beginners help [SOLVED]
Replies: 13
Views: 1122

Re: Simple wAP ac setup - beginners help [SOLVED]

However the connection speed test is around 16Mbps (If connected directly to home router 2.4 GHz it's ~83 Mbps).
How can I investigate this ?
Check speed from cable AP end, to be sure there is no fancy config in router.
by karlisi
Tue Jun 22, 2021 9:18 am
Forum: RouterBOARD hardware
Topic: RB1100AH Power supply?
Replies: 2
Views: 1146

Re: RB1100AH Power supply?

Quick search with G resulted in: Max power consumption without attachments 20W https://mikrotik.com/product/RB1100AH The device supports 110-220V at the built in PSU, and 12-24V when powering directly to the board and not using the provided case/PSU. https://i.mt.lv/cdn/product_files/rb1100AHmA_1305...
by karlisi
Tue Jun 15, 2021 11:33 am
Forum: General
Topic: help with firewall "drop" forward
Replies: 7
Views: 552

Re: help with firewall "drop" forward

It's not clear why this rule (and similar in input chain): add action=add-src-to-address-list address-list=BlcokConnections address-list-timeout=none-dynamic chain=forward This rule adds every new connection to 'BlcokConnections' list. Every means, both directions - WAN to LAN and LAN to WAN. That's...
by karlisi
Thu Jun 03, 2021 11:38 am
Forum: Beginner Basics
Topic: Port forwarding 443...
Replies: 3
Views: 467

Re: Port forwarding 443...

I suppose you dst-natted to port 443 without specifying in-interface, there should be your WAN interface
by karlisi
Wed May 26, 2021 9:27 am
Forum: General
Topic: NAT rules explained with examples [SOLVED]
Replies: 5
Views: 731

Re: NAT rules explained with examples [SOLVED]

The order of rules matters. Hairpin NAT rules (2. and 3.) should be before src nat all LAN rule (1.).
by karlisi
Mon May 24, 2021 1:33 pm
Forum: RouterBOARD hardware
Topic: Add +1 here if you liked "white brick" mikrotik design
Replies: 10
Views: 1287

Re: Add +1 here if you liked "white brick" mikrotik design

+1
White color fits most of interiors
by karlisi
Thu May 20, 2021 10:45 am
Forum: General
Topic: NAT rules explained with examples [SOLVED]
Replies: 5
Views: 731

Re: NAT rules explained with examples [SOLVED]

You are correct in all explanations.
2nd is related to 3rd, hairpin NAT, needed if clients should connect server in same subnet, using public IP.
https://help.mikrotik.com/docs/display/ ... HairpinNAT
3rd and 4th are almost the same, 4th rule restricts access only from src-address
by karlisi
Mon May 17, 2021 4:26 pm
Forum: Beginner Basics
Topic: How do I connect two subnet in a single router? [SOLVED]
Replies: 20
Views: 1735

Re: How do I connect two subnet in single subnet? [SOLVED]

You have wrong gw here, I believe /ip dhcp-server network add address=192.168.188.0/24 comment=pinet gateway=192.168.88.1 netmask=24 should be 192.168.188.1 Not related to connection problems, but last 2 drop rules in forward chain are not needed, the previous rule already dropping all from all inte...
by karlisi
Mon Apr 26, 2021 11:28 am
Forum: Beginner Basics
Topic: DSTNAT doesn't opening port
Replies: 9
Views: 941

Re: DSTNAT doesn't opening port

curl test from 192.168.60.0/24 or /30 network works?
by karlisi
Fri Apr 23, 2021 9:12 am
Forum: Beginner Basics
Topic: Configuration Restore from RB3011 to RB4011
Replies: 6
Views: 1224

Re: Configuration Restore from RB3011 to RB4011

You can use /import file=thenameoftheconfigfile verbose=yes to see where the import stops. After correcting and re-uploading config file, you can restart import with /import file=thenameoftheconfigfile verbose=yes from-line=errorlinenumber
by karlisi
Fri Apr 23, 2021 9:01 am
Forum: General
Topic: Port 53 attack [SOLVED]
Replies: 3
Views: 497

Re: Port 53 attack [SOLVED]

Attacker targets router's public address (screened part in log entry), and NAT translates this request to private - 111.7.96.178:36152->10.0.0.1:53, NAT 111.7.96.178:36152->(xx.xxx.xxx.xxx:53->10.0.0.1:53). Attacker don't see internal IP, if request would be answered, it's source IP would be router'...
by karlisi
Mon Mar 22, 2021 3:20 pm
Forum: The Dude
Topic: The Dude and windows 10
Replies: 3
Views: 2003

Re: The Dude and windows 10

Sometimes you need to run Dude client as administrator to perform upgrade even if you are local administrator on your computer.
by karlisi
Wed Mar 17, 2021 3:24 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 293
Views: 51657

Re: v7.1beta5 [development] is released!

I had a test CHR on VMware ESXi 6.7 running 7.1beta4 with a quite simple config (1 interface, fixed address, a BGP session) I used System->Packages upgrade to load 7.1beta5 It fails to boot now. On the console it says: Load system WARN: GPT: skip truncate ERROR: could not mount disk! Please attach ...
by karlisi
Tue Mar 02, 2021 8:44 am
Forum: Scripting
Topic: Excluding dynamic entries from [ find ]
Replies: 3
Views: 871

Re: Excluding dynamic entries from [ find ]

or
remove [find dynamic=no]
by karlisi
Thu Feb 25, 2021 11:47 am
Forum: Beginner Basics
Topic: filtering "log print" output (like grep)? [SOLVED]
Replies: 2
Views: 567

Re: filtering "log print" output (like grep)? [SOLVED]

/log print where message~"AppleWatch"
by karlisi
Mon Feb 22, 2021 1:37 pm
Forum: Beginner Basics
Topic: Rename interface: to what port is it connected to?
Replies: 5
Views: 563

Re: Rename interface: to what port is it connected to?

It is in winbox using Terminal.
In GUI no, it isn't possible. If renaming, put the default name in comment, it can help sometimes
by karlisi
Mon Feb 22, 2021 11:34 am
Forum: Beginner Basics
Topic: Rename interface: to what port is it connected to?
Replies: 5
Views: 563

Re: Rename interface: to what port is it connected to?

/interface print detail 
to list all interfaces details or
/interface print where default-name=sfp2
to find default name of one interface
by karlisi
Thu Feb 18, 2021 8:36 am
Forum: General
Topic: Upgrading Mikrotik devices through Dude
Replies: 4
Views: 467

Re: Upgrading Mikrotik devices through Dude

Upload using Winbox, not the Dude client.
by karlisi
Mon Feb 15, 2021 6:05 pm
Forum: Beginner Basics
Topic: L2TP with Radius Authentication
Replies: 15
Views: 1061

Re: L2TP with Radius Authentication

Sorry, no idea. On Mikrotik my only error was incorrect src-address in radius settings, there should be router's IP address.
by karlisi
Mon Feb 15, 2021 5:59 pm
Forum: Beginner Basics
Topic: L2TP with Radius Authentication
Replies: 15
Views: 1061

Re: L2TP with Radius Authentication

What is on Mikrotik?
by karlisi
Mon Feb 15, 2021 5:05 pm
Forum: Beginner Basics
Topic: L2TP with Radius Authentication
Replies: 15
Views: 1061

Re: L2TP with Radius Authentication

So, Mikrotik is connecting to NPS, but policies not match. The only suggestion is, check all settings thoroughly step by step on both sides, especially on NPS. Or start from scratch.
by karlisi
Mon Feb 15, 2021 4:17 pm
Forum: Beginner Basics
Topic: Malicious VPN connection attempts?
Replies: 12
Views: 1355

Re: Malicious VPN connection attempts?

Also many of them are used only once and never appears again.
by karlisi
Mon Feb 15, 2021 4:16 pm
Forum: Beginner Basics
Topic: L2TP with Radius Authentication
Replies: 15
Views: 1061

Re: L2TP with Radius Authentication

Without RADIUS works? Something in Windows Security Events?
by karlisi
Mon Feb 15, 2021 4:01 pm
Forum: Beginner Basics
Topic: L2TP with Radius Authentication
Replies: 15
Views: 1061

Re: L2TP with Radius Authentication

Also this link from comments on original article
https://mivilisnet.wordpress.com/2019/0 ... s-working/
by karlisi
Mon Feb 15, 2021 3:18 pm
Forum: Beginner Basics
Topic: L2TP with Radius Authentication
Replies: 15
Views: 1061

Re: L2TP with Radius Authentication

by karlisi
Mon Feb 15, 2021 11:07 am
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 211
Views: 37176

Re: v7.1beta4 [development] is released!

In previous betas it was actually completing but after very long time, like 20m.
Actually without 'verbose' it takes exactly 20min. Very interesting.
by karlisi
Fri Jan 15, 2021 1:03 pm
Forum: Beginner Basics
Topic: NAT Loopback / DNS
Replies: 9
Views: 1241

Re: NAT Loopback / DNS

Not sure what to do with the wiki article. How do I make it work for me, though?
Read, understand and implement. What more do you expect from us if we know nothing about your current config.
by karlisi
Fri Jan 08, 2021 10:36 am
Forum: SwOS
Topic: Zabbix template for
Replies: 4
Views: 2508

Re: Zabbix template for

For version 4 download links are here
https://share.zabbix.com/official-templ ... plate-pack
Use SNMPv2 template. And be patient, I received first data after about 30 min.
by karlisi
Thu Jan 07, 2021 5:16 pm
Forum: SwOS
Topic: Zabbix template for
Replies: 4
Views: 2508

Re: Zabbix template for

Use standard 'Network Generic Device SNMP' template (built-in). If needed, download it from https://git.zabbix.com/projects/ZBX/rep ... neric_snmp
Link is for latest Zabbix v.5.2, you can change branch to another if needed.
by karlisi
Mon Jan 04, 2021 9:05 am
Forum: Beginner Basics
Topic: Connection between SFP / SFP+
Replies: 10
Views: 2608

Re: Connection between SFP / SFP+

SFP+ module in SFP cage (RB2011) won't work. SFP module in SFP+ cage should.
by karlisi
Fri Dec 11, 2020 12:15 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1971

Re: Ip addresses through Mikrotik takes the router's ip

If your clients are using 192.168.0.33 as DNS server and there is no something special in router's configuration, it shouldn't be so. From your description I assume you configured Mikrotik router as DNS server for clients, and 'allow remote requests' along with 192.168.0.33 as DNS server on Mikrotik...
by karlisi
Fri Nov 06, 2020 10:47 am
Forum: Beginner Basics
Topic: Mysterious "denied winbox/dude connect from 117.202.126.x" log
Replies: 7
Views: 4856

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Interface list LAN is empty? Just guess, You posted only partial configuration.
by karlisi
Fri Nov 06, 2020 10:35 am
Forum: Wireless Networking
Topic: Signal Range
Replies: 3
Views: 616

Re: Signal Range

RX Signal
by karlisi
Wed Nov 04, 2020 9:23 am
Forum: General
Topic: MKT hEX PoE + WS2K19 DC
Replies: 3
Views: 520

Re: MKT hEX PoE + WS2K19 DC

This is my DNS in MKT:
1.1.1.2 - 1.0.0.2
MKT is DHCP for LAN 192.168.110.0/24
This is DNS where? In IP -> DHCP server -> Networks? Or in IP -> DNS? If only in first, clients never will use AD DNS for resolution.
by karlisi
Wed Oct 07, 2020 9:42 am
Forum: General
Topic: DDoS detection and blocking [SOLVED]
Replies: 8
Views: 1248

Re: DDoS detection and blocking [SOLVED]

That article is almost 10 years old, please use current version
https://help.mikrotik.com/docs/display/ ... Protection
by karlisi
Mon Sep 28, 2020 10:13 am
Forum: General
Topic: CAPsMAN upgrade doubts
Replies: 6
Views: 808

Re: CAPsMAN upgrade doubts

... CAPs Manager (ARM based hAP ac2 in long-term v6.45.9) and a CAP Slave (MIPSBE mAP Lite 2nD in stable v6.46.6) ... and the upgrade policy to suggest same version. All works as expected, on client there is newer version as on manager, it's why nothing happens. You can do as @mkx suggests, in fact...
by karlisi
Thu Sep 17, 2020 9:49 am
Forum: Beginner Basics
Topic: Forward chain ipsec rule placement
Replies: 2
Views: 350

Re: Forward chain ipsec rule placement

Ipsec rules should be before fasttrack rule, to exclude ipsec traffic from fasttrack. And fasttrack should be before accept established, related, untracked to work properly.
by karlisi
Mon Sep 14, 2020 10:52 am
Forum: Announcements
Topic: v6.46.7 [long-term] is released!
Replies: 45
Views: 14906

Re: v6.46.7 [long-term] is released!

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge. We already had discussion about that without results https://forum.mikrotik.com/viewtopic.php?f=21&t...
by karlisi
Thu Sep 03, 2020 10:28 am
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 105
Views: 32906

Re: WinBox v3.27 released!

RB2011 ROS 6.45.9 (long-term), no problems with NAT rules.
by karlisi
Wed Sep 02, 2020 4:42 pm
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 105
Views: 32906

Re: WinBox v3.27 released!

Wow, that was fast! Thank you!
by karlisi
Tue Sep 01, 2020 3:02 pm
Forum: Announcements
Topic: WinBox v3.25 released!
Replies: 68
Views: 11675

Re: WinBox v3.25 released!

Or atleast there should be some warning regarding this, when it encounters unsupported (anymore) ROS versions instead of the current unfortunate behaviour. ROS 6.45.9 is supported, this is the latest long-term version. So, while we are waiting for backporting something (we don't know what) from sta...
by karlisi
Tue Sep 01, 2020 1:12 pm
Forum: Announcements
Topic: WinBox v3.25 released!
Replies: 68
Views: 11675

Re: WinBox v3.25 released!

IMHO You shold fix WinBox not ROS ASAP as upgrade to ROS > 6.47 is not always possible
And remove Winbox 3.25 from downloads and upgrade ASAP.
by karlisi
Tue Sep 01, 2020 8:49 am
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 83
Views: 72227

Re: v6.45.9 [long-term] is released!

Installed on a number of units to notice that the Hotspot Host table is now empty. It appear the Hotspot is still working as clients are able to connect and logon and then appear in the active table. Seen this on all platforms. Also same issue is present in v6.47.2 Is it just me or is anyone else s...
by karlisi
Tue Sep 01, 2020 8:44 am
Forum: RouterBOARD hardware
Topic: CAPSMAN Manager For Medium to Big deployment
Replies: 4
Views: 809

Re: CAPSMAN Manager For Medium to Big deployment

CCR2004-1G-12S+2XS https://mikrotik.com/product/ccr2004_1g_12s_2xs I have deployed similar medium sized systems using RB4011 and CRS328's. The RB4011 is connected by SFP+ and handles all the CAPSMAN traffic in non-local-forward mode. The benefit of this is all the radios are ports on one common bri...
by karlisi
Tue Sep 01, 2020 8:35 am
Forum: Announcements
Topic: WinBox v3.25 released!
Replies: 68
Views: 11675

Re: WinBox v3.25 released!

You can say that this version has a killer feature. Open CAPsMAN, click on "Radio" tab and watch all your CAPs disconnect. Also keeping that tab open will not let any CAP connect back. "failed to connect, timeout". LE: they do come back eventualy but nothing shows up on the Radi...
by karlisi
Fri Aug 28, 2020 11:21 am
Forum: Beginner Basics
Topic: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network
Replies: 8
Views: 1237

Re: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network

And don't compare router with phone, they are using different frequencies, so there can be different load on tower. Would be interesting to see the same RSRP, RSRQ and SINR from Huawei router.
by karlisi
Fri Aug 28, 2020 11:15 am
Forum: Beginner Basics
Topic: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network
Replies: 8
Views: 1237

Re: MikroTik LtAP LTE6 kit Config for Latvia LMT mobile network

How are your signal levels (RSRP, RSRQ, etc.)

Regards.
RSRP: -106 dBm
RsRQ: -13.0 dB
SINR 7dB ( changing in limits from 5 to 10 )
Very poor signal, according to this
https://wiki.teltonika-networks.com/vie ... _.28LTE.29
by karlisi
Fri Aug 21, 2020 1:19 pm
Forum: General
Topic: I can't see traffic on the NAT, it uses the main bridge
Replies: 6
Views: 1141

Re: I can't see traffic on the NAT, it uses the main bridge

You want to restrict access from bridge-public to bridge by this rule? add action=src-nat chain=srcnat dst-address=!192.168.88.0/24 \ out-interface-list=WAN src-address=10.0.0.0/22 to-addresses=\ 192.168.88.250 IMHO, this will not work, requests to 192.168.88.0/24 misses this rule and will be routed...
by karlisi
Thu Aug 20, 2020 10:07 am
Forum: Beginner Basics
Topic: Точка - многоточка
Replies: 9
Views: 1029

Re: Точка - многоточка

Yes, RB711-5HnD comes with L4 (AP) license.
https://mikrotik.com/product/RB711GA-5HnD
by karlisi
Mon Aug 17, 2020 5:13 pm
Forum: Beginner Basics
Topic: Transfer configuration between identical hardware [SOLVED]
Replies: 4
Views: 1337

Re: Transfer configuration between identical hardware [SOLVED]

And yes, you should remove unwanted MAC addresses from exported configuration.
by karlisi
Mon Aug 17, 2020 1:09 pm
Forum: Beginner Basics
Topic: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?
Replies: 27
Views: 5388

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

You can use 'verbose' switch on import, sometimes output to screen helps to spot the problem, because you will see exactly where the script stops. And there is another one useful switch 'from-line' which you can use to continue import after correcting errors.
by karlisi
Fri Aug 14, 2020 8:56 am
Forum: Beginner Basics
Topic: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?
Replies: 27
Views: 5388

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Last row says: 19:48, 21 May 2008 (EEST)
I believe most of it is obsolete. As said before, the default ruleset is the best starting point.
by karlisi
Thu Aug 13, 2020 3:40 pm
Forum: Beginner Basics
Topic: VNC with MikroTik LMT LTE18 router
Replies: 20
Views: 4654

Re: VNC with MikroTik LMT LTE18 router

So you haven't public IP address, this IP is from LMT internal network for clients, which is behind some NAT. Because they haven't dst-nat from real public IP to your router's external LTE interface, you can't establish VNC connection. You should ask LMT for real public IP. It can be dynamic, you ca...
by karlisi
Thu Aug 13, 2020 1:38 pm
Forum: Beginner Basics
Topic: VNC with MikroTik LMT LTE18 router
Replies: 20
Views: 4654

Re: VNC with MikroTik LMT LTE18 router

Do you have public IP address on LTE interface? Or from 10.0.0.0/8 network (smth like 10.44.28.53)?
by karlisi
Wed Aug 12, 2020 5:02 pm
Forum: Beginner Basics
Topic: Can't create l2tp and other vpn servers
Replies: 4
Views: 1219

Re: Can't create l2tp and other vpn servers

Sure, it shouldn't work. You have no incoming firewall rules for VPN, no L2TP profiles and secrets defined, only enabled L2TP server. That's why I linked wiki and one of the many step-by-steps found by Google.
by karlisi
Mon Aug 03, 2020 3:49 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 6749

Re: Am I protected with this settings?

System: hAP Ac. Os. 6.47.1. I Have only added a few rules to the default firewall rules. Do i Need to add anything else to make my hAp Ac secure? My configuration is as given below. /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interf...
by karlisi
Mon Aug 03, 2020 8:16 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 43738

Re: CSS326-24G-2S+RM hangs until power cycle

On first test problem was not resolved, but we will test it more thoroughly this week.
by karlisi
Thu Jul 30, 2020 4:49 pm
Forum: General
Topic: Fix NTP Client to use FQDN
Replies: 1
Views: 706

Re: Fix NTP Client to use FQDN

"Server DNS Names" field is for FQDN of NTP servers.
by karlisi
Mon Jul 27, 2020 9:21 am
Forum: Scripting
Topic: Script to Reboot Routerboard
Replies: 16
Views: 41992

Re: Script to Reboot Routerboard

You don't need a script. Simply write in scheduler field 'On Event' /system reboot
by karlisi
Thu Jul 16, 2020 1:40 pm
Forum: General
Topic: Winbox [SOLVED]
Replies: 2
Views: 1077

Re: Winbox [SOLVED]

by karlisi
Wed Jul 08, 2020 9:16 am
Forum: The Dude
Topic: winbox problem with dude [SOLVED]
Replies: 2
Views: 1832

Re: winbox problem with dude [SOLVED]

You should edit path to Winbox in Dude client to actual Winbox location
https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Tools
by karlisi
Tue Jul 07, 2020 8:30 am
Forum: The Dude
Topic: Admin Password
Replies: 11
Views: 2804

Re: Admin Password

If you are speaking about CHR, you can use free version without registration, the only restriction is -
The free license level allows CHR to run indefinitely. It is limited to 1Mbps upload per interface.
https://wiki.mikrotik.com/wiki/Manual:CHR#free
by karlisi
Mon Jul 06, 2020 5:10 pm
Forum: The Dude
Topic: Admin Password
Replies: 11
Views: 2804

Re: Admin Password

Before the dude can watching all server or devices... likes windows os, linux os, HP switch or cisco routeur etc... not now is watch only MikroTik ? No, you can monitor everything as before. The only difference is, now Dude server can run on RouterOS only. It can be Mikrotik device or CHR virtual m...
by karlisi
Mon Jul 06, 2020 4:16 pm
Forum: The Dude
Topic: Admin Password
Replies: 11
Views: 2804

Re: Admin Password

Mikrotik, where Dude server part is installed.
by karlisi
Tue May 26, 2020 4:18 pm
Forum: General
Topic: Backup / Restore [SOLVED]
Replies: 10
Views: 6097

Re: Backup / Restore [SOLVED]

For rsc file, use /import instead of /system backup. Nothing changed in terms of backup and export usage, you should not use backup to restore it on another machine, even if it works.
by karlisi
Tue May 26, 2020 11:31 am
Forum: Beginner Basics
Topic: Firewall Problem
Replies: 4
Views: 1212

Re: Firewall Problem

If this is all your firewall and if you disable last drop rule, your forward chain is fully open. BTW, last drop rule seems wrong, it drops all not-dstnatted connections coming from any interface, typically you want to drop this only from WAN.
by karlisi
Tue May 26, 2020 8:35 am
Forum: General
Topic: Move configuration from old to new router
Replies: 5
Views: 2244

Re: Move configuration from old to new router

You can use configuration export not the backup. It is recommended to edit exported configuration, there can be i.e. some MAC addresses You don't want to transfer to new router.
by karlisi
Mon May 25, 2020 8:58 am
Forum: Wireless Networking
Topic: Setting Time in Capac from main router. [SOLVED]
Replies: 7
Views: 2947

Re: Setting Time in Capac from main router. [SOLVED]

I doubt your gateway works as NTP server. Set ntp server DNS name to pool.ntp.org
by karlisi
Fri May 22, 2020 1:25 pm
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 106
Views: 67301

Re: Winbox v3.24 released!

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning. Anyone else seeing this? Yes, the same here Just tried it on several routers, but only see this behavior on a single device. A differentiating factor appears to be the number of records kept in the log. ...
by karlisi
Wed May 20, 2020 10:15 am
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 106
Views: 67301

Re: Winbox v3.24 released!

Hello

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning.
Anyone else seeing this?

Regards
Yes, the same here
by karlisi
Tue May 19, 2020 3:30 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 2706

Re: Accessing external IP from LAN without hairpin NAT

Quick answer is - yes, if you use second IP for webserver, you don't need hairpin-nat. And you don't need the internal DNS server point to DMZ IP, point it to external IP. Be sure to not use default masquerade, use src-nat to appropriate extarnal IPs instead.
by karlisi
Mon May 18, 2020 8:38 am
Forum: Beginner Basics
Topic: VPN L2TP7IPSEC
Replies: 1
Views: 642

Re: VPN L2TP7IPSEC

Read this
viewtopic.php?f=2&t=149863#p738129
or this (although article is about Windows Vista, it applies to newer Windows versions too)
https://support.microsoft.com/en-us/hel ... in-windows
by karlisi
Wed May 06, 2020 8:23 am
Forum: Forwarding Protocols
Topic: access my webserver in local network
Replies: 7
Views: 3156

Re: access my webserver in local network

I supposed OP has static public IP, because
i access my web server from internet all thing work fine
by karlisi
Tue May 05, 2020 4:18 pm
Forum: Forwarding Protocols
Topic: access my webserver in local network
Replies: 7
Views: 3156

Re: access my webserver in local network

Did you read that at all? Look in /ip firewall nat If you have default config, you already have this add chain=srcnat out-interface=WAN action=masquerade If you can access your webserver from outside of LAN, add this and all should work add chain=dstnat dst-address=<your-public-ip-address-here> prot...
by karlisi
Tue May 05, 2020 8:38 am
Forum: Beginner Basics
Topic: L2TP/IPsec to Windows Client
Replies: 1
Views: 961

Re: L2TP/IPsec to Windows Client

by karlisi
Thu Mar 12, 2020 3:52 pm
Forum: Beginner Basics
Topic: RB1100AHx2 upgrade 6.32.4 to 6.46.4
Replies: 6
Views: 2262

Re: RB1100AHx2 upgrade 6.32.4 to 6.46.4

I'm not really sure if the RB1100 is in the "default settings are completely empty" category (like the CCR)...
Yes it is completely empty.
by karlisi
Thu Mar 12, 2020 8:48 am
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 58201

Re: v6.46.4 [stable] is released!

I have Dude 6.46.4 and many RBs 6.44.6, and they all are talking with Dude.
by karlisi
Mon Feb 24, 2020 10:07 am
Forum: Forwarding Protocols
Topic: Problem with a VPN Server Router behind Mikrotik
Replies: 4
Views: 3437

Re: Problem with a VPN Server Router behind Mikrotik

You don't need all UDP rules and all input chain rules. And the last 2 dst-nat rules too.
Try to add this (if you have default firewall ruleset you don't need it)
/ip firewall filter
add action=accept chain=frorward dst-port=1723 protocol=tcp
by karlisi
Fri Feb 14, 2020 8:34 am
Forum: RouterBOARD hardware
Topic: Ccr 1009 power issue
Replies: 12
Views: 5077

Re: Ccr 1009 power issue

I suspect there is much more problems if this resistor, in fact simple wire, is blown. Search for shorts somewhere after this resistor.
by karlisi
Mon Feb 10, 2020 3:56 pm
Forum: Beginner Basics
Topic: Help me fix my crappy firewall
Replies: 11
Views: 5935

Re: Help me fix my crappy firewall

About other firewall rules. Rule #11 is unneeded because rule #21 already does that 11 ;;; Allow portforward chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1_UPLINK 21 ;;; drop all from WAN not DSTNATed chain=forward action=drop connection-state=new co...
by karlisi
Mon Feb 10, 2020 3:47 pm
Forum: Beginner Basics
Topic: Help me fix my crappy firewall
Replies: 11
Views: 5935

Re: Help me fix my crappy firewall

At the end of this journey, nothing known should reach the last rule on the firewall (chain=input action=drop log=yes). This log will (in distant future) be sent to a central logging service with alerts attached to it. Not exactly. These SYN packets are dropped in input chain, they are coming to ro...
by karlisi
Wed Jan 29, 2020 4:44 pm
Forum: Announcements
Topic: v6.45.8 [long-term] is released!
Replies: 87
Views: 72612

Re: v6.45.8 [long-term] is released!

Long term: Released rarely, and includes only the most important fixes, upgrades within one number branch not add new features.
https://wiki.mikrotik.com/wiki/Manual:U ... _numbering
by karlisi
Tue Jan 28, 2020 8:52 am
Forum: General
Topic: L2TP IPSec behind Internet
Replies: 3
Views: 1186

Re: L2TP IPSec behind Internet

First solution not usable only for clients which all are behind one NAT.
by karlisi
Fri Jan 24, 2020 2:22 pm
Forum: General
Topic: L2TP IPSec behind Internet
Replies: 3
Views: 1186

Re: L2TP IPSec behind Internet

Read this, it works very well https://forum.mikrotik.com/viewtopic.php?f=2&t=149863#p738129 Another solution is to modify Windows client registry: http://woshub.com/l2tp-ipsec-vpn-server-behind/ Original MS article about this solution (works also on latest Windows versions) https://support.micro...
by karlisi
Fri Jan 24, 2020 1:59 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 42132

Re: v6.46.2 [stable] is released!

P.S. All the "verification is a useless step", "we know better" answers are really ābols-style and it's sad to see that MikroTik has started going in this direction (a direction that is not very appreciated by IT people who might be a very notable share of current MikroTik users...
by karlisi
Thu Jan 23, 2020 10:09 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 42132

Re: v6.46.2 [stable] is released!

What to do, if I want to cancel upgrade? - Use "/system package update cancel" feature What to do if I do not realize there is an upgrade present that needs to be cancelled, because I can't see it, and therefore fail to cancel it? Use /system package update print to check, this is what th...
by karlisi
Thu Jan 23, 2020 10:07 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 42132

Re: v6.46.2 [stable] is released!

Regarding verification of packages after download, this is of course about actually seeing the file in /file. That is not the same as doing a hash check or something, but that is not what this is about IMHO half of complaints would be eliminated, if there would be text in File window status bar, li...
by karlisi
Thu Jan 23, 2020 9:48 am
Forum: Beginner Basics
Topic: Per Port DHCP Address
Replies: 3
Views: 1318

Re: Per Port DHCP Address

It depends. Using switch alone - no.
by karlisi
Tue Jan 21, 2020 4:01 pm
Forum: Beginner Basics
Topic: Cable test [SOLVED]
Replies: 24
Views: 6762

Re: Cable test [SOLVED]

This is one fiber module, there is nothing to reverse, unlike in modules with separate tx and rx fibers.
by karlisi
Mon Jan 20, 2020 4:16 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 42132

Re: v6.46.2 [stable] is released!

3) If actual upgrade at reboot fails (due to missing packages or whatever), how does the admin know what packages are leftover in Files, and how does he remove them if Files is going to pretend to him that they don't exist? There will be no leftovers, on reboot they delete all npk files in file roo...
by karlisi
Mon Jan 20, 2020 4:12 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 42132

Re: v6.46.2 [stable] is released!

Can anyone post reasonable reason why it's important? Because such changes (non-cosmetic, without clear reason) are introduced without warning. BTW there is unmet side effect. Usually after ROS upgrade I uploaded additional packages to CAPsMAN for another platforms, to remote upgrade CAPs, storing ...
by karlisi
Mon Jan 20, 2020 11:15 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 42132

Re: v6.46.2 [stable] is released!

System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle. Please undo this change, it serves no useful purpose and has many disadvantages. Please revert this change. +++ I totally agree with pe1chl , macsrwe and r00t . Please revert...
by karlisi
Fri Jan 10, 2020 9:40 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 43738

Re: CSS326-24G-2S+RM hangs until power cycle

IGMP Snooping is already off.
by karlisi
Thu Jan 09, 2020 10:46 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 43738

Re: CSS326-24G-2S+RM hangs until power cycle

For now, try to disable the Flow Control for all interfaces under the "Link" menu in SwOS. Also, try to verify that other devices connected to the switch are not using any Flow Control settings. Keep an eye for any counters on the "Errors" menu. Let us know whether the switch st...
by karlisi
Tue Jan 07, 2020 9:45 am
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 117
Views: 43738

Re: CSS326-24G-2S+RM hangs until power cycle

This just happened to my CSS326-24G-2S+ running 2.10. It started balking after 17 days of uptime. Pings were fine, but any serious traffic would hang after a packet or two. Wow, it seems I'm not alone. My problem though is a little bit specific. There is no problem with wired clients, but if I conn...
by karlisi
Fri Dec 20, 2019 10:06 am
Forum: General
Topic: MT Router and Suricata as a IDS [SOLVED]
Replies: 2
Views: 1632

Re: MT Router and Suricata as a IDS [SOLVED]

Have you read this?
viewtopic.php?f=2&t=111727
by karlisi
Tue Dec 17, 2019 10:25 am
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 48402

Re: v6.46 [stable] is released!

It's an old and very clever rule for every software - never put in production new release before first bugfix subrelease, so in this case wait for 6.46.1 at least.
by karlisi
Tue Dec 17, 2019 10:20 am
Forum: Beginner Basics
Topic: VPN PPTP [SOLVED]
Replies: 6
Views: 1747

Re: VPN PPTP [SOLVED]

I added: /ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment="Allow IN PPTP/TCP1723" disabled=no /ip firewall filter add chain=output protocol=tcp dst-port=1723 action=accept comment="Allow OUT PPTP/TCP1723" disabled=no /ip firewall filter add ch...
by karlisi
Tue Dec 10, 2019 10:52 am
Forum: General
Topic: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps
Replies: 5
Views: 2552

Re: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps

Seems like bug in /export, some versions back interface export was clean.
by karlisi
Tue Dec 10, 2019 10:41 am
Forum: General
Topic: Problem with RouterOS Updating
Replies: 6
Views: 1384

Re: Problem with RouterOS Updating

Pay attention if there are no other architecture package uploaded on the device! And this is really annoying. Some time ago it was possible to upload to CAPsMAN device packages for device itself and for CAPs and upgrade entire network by one reboot. Now I should first upgrade manager, then CAPs. So...
by karlisi
Mon Dec 02, 2019 4:02 pm
Forum: General
Topic: Site to Site VPN (13 Sites & 2 remote Laptops)
Replies: 18
Views: 4110

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

On Windows client it can be done manually, using Powershell or GUI.
http://eyonic.blogspot.com/2016/06/how- ... ng-in.html
by karlisi
Thu Nov 28, 2019 4:44 pm
Forum: General
Topic: PPTP VPN - access file server
Replies: 3
Views: 941

Re: PPTP VPN - access file server

Router 1 should know where to send replies.
by karlisi
Wed Nov 27, 2019 3:11 pm
Forum: General
Topic: Port 8000 forwarding for HIKVISION camera not working
Replies: 9
Views: 3269

Re: Port 8000 forwarding for HIKVISION camera not working

My public IP is dynamic It's OK with dst-nat rules. You don't need 554/tcp or 8000/udp for iVMS application. How do you connect to external address? From inside the LAN? If so, you need additional hairpin-nat rule. I do not connect to an external address. Do you mean to my public IP? I connect it f...
by karlisi
Tue Nov 26, 2019 4:47 pm
Forum: General
Topic: Port 8000 forwarding for HIKVISION camera not working
Replies: 9
Views: 3269

Re: Port 8000 forwarding for HIKVISION camera not working

It's OK with dst-nat rules. You don't need 554/tcp or 8000/udp for iVMS application.
How do you connect to external address? From inside the LAN? If so, you need additional hairpin-nat rule.
by karlisi
Tue Nov 19, 2019 4:13 pm
Forum: RouterBOARD hardware
Topic: RB951Ui-2HnD Mikrotik 5th Poe Port
Replies: 1
Views: 2213

Re: RB951Ui-2HnD Mikrotik 5th Poe Port

PoE-Out LEDs Models with dependant voltage output PoE-Out LED behaviour can differ between models, but most of them will indicate PoE-Out state on one additional LED. Devices with one voltage output will light: Red colour LED - PoE-Out port state is powered-on (auto or forced-on mode). Blinking Red ...
by karlisi
Tue Nov 19, 2019 11:08 am
Forum: General
Topic: Sudden lost of all admin passwords and admin users
Replies: 17
Views: 3959

Re: Sudden lost of all admin passwords and admin users

I suspect security holes in configuration. Post '/export hide-sensitive' here, perhaps we will see something in it.
by karlisi
Fri Nov 15, 2019 10:02 am
Forum: General
Topic: Sudden lost of all admin passwords and admin users
Replies: 17
Views: 3959

Re: Sudden lost of all admin passwords and admin users

Without details there is not much to recommend. https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter). Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded...
by karlisi
Wed Nov 06, 2019 8:11 am
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 39794

Re: Winbox v3.20 released!

What's new in v3.20: 1) Does the program Winbox use encryption to connect to hardware device? 2) Сan I use Winbox without fear in adverse networks? 3) Is there any protection in the connection from the Man in the middle (MITM) attack? From Winbox v3.14, the following security features are used: Win...
by karlisi
Wed Oct 30, 2019 11:43 am
Forum: Beginner Basics
Topic: DST-NAT to internal multiple IP Adresses
Replies: 5
Views: 1074

Re: DST-NAT to internal multiple IP Adresses

Try this add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=443 protocol=tcp \ to-addresses=193.0.8.248 to-ports=443 add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=25 protocol=tcp \ to-addresses=193.0.8.248 to-ports=25 add action=dst-nat chain=dstnat dst-address=192.1...
by karlisi
Mon Oct 21, 2019 4:09 pm
Forum: Beginner Basics
Topic: Redirecting the IP address to name
Replies: 10
Views: 1959

Re: Redirecting the IP address to name

IMHO, no, you need both, hostname and domain name.
Something about this problem here
https://superuser.com/questions/1211416 ... be-ignored
by karlisi
Fri Oct 11, 2019 10:48 am
Forum: General
Topic: ESET AV detect PHP/Obfuscated.E at this forum
Replies: 1
Views: 926

Re: ESET AV detect PHP/Obfuscated.E at this forum

I am using ESET Endpoint Antivirus and have no problems with Mikrotik forum.
by karlisi
Mon Oct 07, 2019 10:20 am
Forum: General
Topic: L2TP/IPSec - Works from Android and Mikrotik but not Windows?
Replies: 3
Views: 2367

Re: L2TP/IPSec - Works from Android and Mikrotik but not Windows?

L2tp/IPSec client on Windows can work withour registry mod. NAT device in this case is whatever you want, all magic is made on Mikrotik VPN server
viewtopic.php?f=2&t=149863#p738129
by karlisi
Mon Sep 16, 2019 9:24 am
Forum: General
Topic: Laptops are trying to hack my router
Replies: 8
Views: 2349

Re: Laptops are trying to hack my router

Start with this
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
If you want to block access to router from guest network, block in firewall input chain all from this interface or IP range, allowing only needed services, i.e. DHCP, DNS, etc.
by karlisi
Fri Aug 09, 2019 1:25 pm
Forum: RouterBOARD hardware
Topic: Cant connect to RB951G-2HnD [SOLVED]
Replies: 2
Views: 2555

Re: Cant connect to RB951G-2HnD [SOLVED]

Hold the reset button about 5 sec, until ACT LED starts flashing. If holded for 10 sec or more and LED stays lit or turns off, it's too long.
https://wiki.mikrotik.com/wiki/Manual:Reset
by karlisi
Mon Aug 05, 2019 5:56 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 44650

Re: v6.45.3 [stable] is released!

I don't know what smips device is, I have hAP and two hAP lites. Maybe I don't need the whole smips package.
Processor architecture, hAP is mipsbe, hAP Lite is smips.
by karlisi
Fri Aug 02, 2019 3:28 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 62824

Re: v6.45.2 [stable] is released!

my RB750Gr3 with 6.41.5 version. After reboot it must be upgraded. But after that he did not start correctly, i can not seen him in winbox
Check Winbox version, it must be at least 3.19
by karlisi
Tue Jul 30, 2019 8:18 am
Forum: The Dude
Topic: can't add winbox as tool to The Dude
Replies: 4
Views: 2940

Re: can't add winbox as tool to The Dude

"C:\Program Files (x86)\Dude\winbox.exe" "[Device.FirstAddress]:1234" "[Device.UserName]" "[Device.Password]"
by karlisi
Mon Jul 29, 2019 11:44 am
Forum: RouterBOARD hardware
Topic: Electrical Problems Causing Failure
Replies: 10
Views: 3192

Re: Electrical Problems Causing Failure

Seems like something in network. RB2011 has external PSU which typically fails first on bad electricity.
by karlisi
Wed Jul 17, 2019 12:06 pm
Forum: Wireless Networking
Topic: Lost connection over wireless to remote station after upgrade [SOLVED]
Replies: 1
Views: 1200

Re: Lost connection over wireless to remote station after upgrade [SOLVED]

To answer my own question - regulatory domain restrictions. On station wireless installation=outdoor, on AP installation=any, frequency on both 5180 MHz. For country Latvia lowest allowed frequency for outdoor installations is 5500 MHz, so on station frequency was wrong, but older ROS allowed it. Fr...
by karlisi
Tue Jul 16, 2019 9:58 am
Forum: General
Topic: NEED help with FORUM
Replies: 6
Views: 1402

Re: NEED help with FORUM

See User control panel -> Board preferences -> Edit notification option
by karlisi
Tue Jul 16, 2019 8:13 am
Forum: The Dude
Topic: Is Dude Communication Secure ?
Replies: 4
Views: 3222

Re: Is Dude Communication Secure ?

For example, part of my first question concerns SNMP to the RouterOS device itself. With secure mode enabled, does the Dude poll the RouterOS device's SNMP via the secure connection or across the WAN facing SNMP port ? Only SNMP v3 supports secure communication. Configure Dude server and devices to...
by karlisi
Mon Jul 15, 2019 4:05 pm
Forum: Wireless Networking
Topic: Lost connection over wireless to remote station after upgrade [SOLVED]
Replies: 1
Views: 1200

Lost connection over wireless to remote station after upgrade [SOLVED]

Have AP and remote 2 stations to make wireless bridges. Upgraded AP and one of stations from 6.42.12 to 6.44.5 lost connection to upgraded station. Not upgraded station works. Some ideas, what is changed and is it possible to recover connection without physically accessing remote station? configurat...
by karlisi
Mon Jul 15, 2019 10:10 am
Forum: The Dude
Topic: Is Dude Communication Secure ?
Replies: 4
Views: 3222

Re: Is Dude Communication Secure ?

Secure mode - Whether to use Secure mode when connecting to a RouterOS device. Uses TLS connection

https://wiki.mikrotik.com/wiki/Manual:T ... e_settings
by karlisi
Thu Jul 11, 2019 8:18 am
Forum: The Dude
Topic: Push logs from Mikrotik to Graylog Server
Replies: 7
Views: 6266

Re: Push logs from Mikrotik to Graylog Server

Yes, logs from Mikrotik can be collected on Graylog.
by karlisi
Wed Jul 10, 2019 3:22 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 60857

Re: v6.44.5 [long-term] is released!

Every changelog must contain all changes and fixes from previous same channel release, not from previous release by number. It's about this sentence? For long-term channel there are no other intermediate releases, only long-term. Similarly as for stable channel there is no beta releases. Changelogs...
by karlisi
Wed Jul 10, 2019 2:57 pm
Forum: The Dude
Topic: Push logs from Mikrotik to Graylog Server
Replies: 7
Views: 6266

Re: Push logs from Mikrotik to Graylog Server

Are you also writing in Graylog forum? As already said there, first check if messages can reach graylog server at all and if port 2514 is open on the server.
by karlisi
Wed Jul 10, 2019 11:29 am
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 60857

Re: v6.44.5 [long-term] is released!

How do you guys propose we make such a changelog? This is the long term branch, where releases are very rare, and the jumps are very big. Imagine there could be 15 fixes, new bugs, fixes again, then the feature could be already removed, then a new one added, removed again, and then a new feature ma...
by karlisi
Wed Jul 10, 2019 9:51 am
Forum: Wireless Networking
Topic: Equipment for the conference room
Replies: 6
Views: 2291

Re: Equipment for the conference room

He's using PoE switch to provide power to APs, in place of 4 PoE injectors.
by karlisi
Tue Jul 09, 2019 2:13 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 60857

Re: v6.44.5 [long-term] is released!

Mikrotik, please, write changelogs properly! Since separating stable and long-term channels they ar incomplete, at least for long-term. Every changelog must contain all changes and fixes from previous same channel release, not from previous release by number. It will eliminate such problems, as in ...
by karlisi
Mon Jul 08, 2019 8:46 am
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 17
Views: 15001

Re: L2TP VPN can not connect on Windows 10

Thanks, I will test it.

And yes, this should go to separate topic
by karlisi
Fri Jul 05, 2019 2:44 pm
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 17
Views: 15001

Re: L2TP VPN can not connect on Windows 10

I assume you have good reasons to take all this burden (registry tweaking or implementing my trick) rather than running the L2TP/IPsec directly on the outer Mikrotik.
Don't want to enable proxy-arp on LAN interface, to access devices on internal network.
by karlisi
Fri Jul 05, 2019 1:32 pm
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 17
Views: 15001

Re: L2TP VPN can not connect on Windows 10

Ah, I see, I should explain better. l2tp server is running on other Mikrotik device behind Mikrotik router. Windows l2tp client -> remote LAN -> SOHO router -> Internet -> Mikrotik router with dst-nat -> LAN -> Mikrotik l2tp server In this setup VPN can't connect without Windows registry modification.
by karlisi
Fri Jul 05, 2019 9:05 am
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 17
Views: 15001

Re: L2TP VPN can not connect on Windows 10

(optional for clarity) add a bridge interface with no member ports attach the public IP of the NAT behind which the server Mikrotik lives to an interface on the Mikrotik as a /32 one (normally to the portless bridge one created above, but you can use any interface) /ip firewall nat print chain=dstn...
by karlisi
Thu Jul 04, 2019 3:36 pm
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 17
Views: 15001

Re: L2TP VPN can not connect on Windows 10

it is possible to run an LT2P/IPsec server on a Mikrotik behind a NATing device even without tweaking the Windows registry, the price to pay is that the clients then cannot have public IPs directly on themselves. How? We have many sites with Windows clients behind src-nat and l2tp/ipsec server behi...
by karlisi
Thu Jul 04, 2019 9:23 am
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 17
Views: 15001

Re: L2TP VPN can not connect on Windows 10

It is not clear from your post, how your network is set up. I assume, L2TP server is behind router with dst-nat to this server, and you are trying to connect from Windows client. If so, Windows registry modification is required on client computer. Read this (although article is about Windows Vista, ...
by karlisi
Fri Jun 28, 2019 8:12 am
Forum: Beginner Basics
Topic: L2TP SERVER BEHIND NAT
Replies: 5
Views: 4469

Re: L2TP SERVER BEHIND NAT

As You already found this is Windows problem. You can't solve it another way, only patching every Windows client.
by karlisi
Tue Jun 25, 2019 4:48 pm
Forum: Beginner Basics
Topic: Firewall rule for accessing winbox
Replies: 7
Views: 4227

Re: Firewall rule for accessing winbox

chain=input is for incoming packets destined for router itself.
by karlisi
Wed Jun 19, 2019 4:09 pm
Forum: RouterBOARD hardware
Topic: MTBF of RouterBOARD
Replies: 16
Views: 6520

Re: MTBF of RouterBOARD

UP! Mikrotik APs compliant with the wifi4eu minimum specs? As request from WiFi4EU 9.2.1 What are the technical requirements for the WiFi4EU Access Points? (...) Supports IEEE 802.11r Supports IEEE 802.11k Supports IEEE 802.11v (...) These protocols are missing in Mikrotik products, so they are not...
by karlisi
Wed May 29, 2019 4:23 pm
Forum: General
Topic: Enable NTP Client [SOLVED]
Replies: 4
Views: 1313

Re: Enable NTP Client [SOLVED]

Yes
by karlisi
Wed May 29, 2019 9:46 am
Forum: General
Topic: Simple config but Internet not working.
Replies: 1
Views: 679

Re: Simple config but Internet not working.

Try this
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether13WAN
Not related to connection problems, but You have very insecure firewall rules. In input chain You should block everything, allowing only needed inputs. Also, forward chain is empty.
by karlisi
Fri May 24, 2019 10:04 am
Forum: Beginner Basics
Topic: Ban IP's / Drop connections of RDP Brute forcers
Replies: 6
Views: 1666

Re: Ban IP's / Drop connections of RDP Brute forcers

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain. In simple english, why drop is in input chain, not in raw? Perhaps linked wiki is intended to show the principle, not working configuration. You never know what other firewall rules are ...
by karlisi
Fri May 17, 2019 8:26 am
Forum: Wireless Networking
Topic: CAPsMAN channel selection
Replies: 7
Views: 5751

Re: CAPsMAN channel selection

It's OK if these CAPs are far away one from other. You can reduce reselect interval to force CAPs to check more often for less busy frequency.
by karlisi
Mon Apr 29, 2019 3:27 pm
Forum: General
Topic: Ipsec error in Log [SOLVED]
Replies: 4
Views: 1449

Re: Ipsec error in Log [SOLVED]

i don't use IPSEC at all how can i disable it?
Review firewall input chain, perhaps you have unnecessary ports or protocols open. Best practice is to close all, except only those you are using.
by karlisi
Mon Apr 29, 2019 1:32 pm
Forum: General
Topic: Ipsec error in Log [SOLVED]
Replies: 4
Views: 1449

Re: Ipsec error in Log [SOLVED]

Also what is the TCP connection established towards my router? These are connections to your PPTP server. 'TCP connection established' not necessarily means someone was able to get in, it means someone established connection and was able to begin the authentication process. The same for ipsec error...
by karlisi
Tue Apr 23, 2019 11:03 am
Forum: General
Topic: POE Out [SOLVED]
Replies: 4
Views: 1076

Re: POE Out [SOLVED]

Typical RB951 power consumption is about 0.13A on startup and about 0.1A when running. If this is 24V 0.8A power adapter then yes, you can, because both RBs will use 0.26A max.
by karlisi
Mon Apr 15, 2019 5:46 pm
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 6200

Re: L2TP with RADIUS

Try to use simpler RADIUS configuration
/radius
add address=192.168.7.70 secret=AgileroSecret123 service=ppp src-address=192.168.7.1

I can't ping my AD Server (192.168.7.70) using udp 1812/1813

You tried this from Mikrotik?
by karlisi
Fri Apr 12, 2019 10:22 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 6200

Re: L2TP with RADIUS

If L2TP client is Windows, run this command in Windows administrative command window (cmd -> run as administrator), then restart Windows:
reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
by karlisi
Wed Apr 10, 2019 11:48 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 6200

Re: L2TP with RADIUS

Unable to access LAN from VPN client
viewtopic.php?t=85962
by karlisi
Wed Apr 10, 2019 11:44 am
Forum: Beginner Basics
Topic: L2TP with RADIUS
Replies: 8
Views: 6200

Re: L2TP with RADIUS

For Mikrotik and Windows AD integration I used this tutorial
https://mivilisnet.wordpress.com/2018/1 ... indows-ad/
by karlisi
Mon Mar 04, 2019 10:02 am
Forum: Wireless Networking
Topic: CAPSMAN - Upgrade Policy - Require same version - should always work - suggestion
Replies: 3
Views: 1893

Re: CAPSMAN - Upgrade Policy - Require same version - should always work - suggestion

You can download and upload the latest release of RouterOS in the files section of your CHR then point cAPs via CAPsMAN to pickup the latest ROS from there and update. Could be MIPSBE or any other. There is one problem. You should first upgrade the CAPsMAN, and after that upload files for other pla...
by karlisi
Mon Feb 25, 2019 4:32 pm
Forum: General
Topic: Upgrade fails if .npk for other platforms are present
Replies: 0
Views: 819

Upgrade fails if .npk for other platforms are present

If I remember correctly, some time ago it was possible to upload to CAPsMAN router all needed packages for APs and router itself. After restart router was upgraded and all APs too, if "suggest same version" upgrade policy was enabled. Now, if there are additional .npk files uploaded Router...
by karlisi
Thu Feb 21, 2019 4:28 pm
Forum: Wireless Networking
Topic: Identify which CAPsMAN interface belongs to which AP [SOLVED]
Replies: 2
Views: 961

Re: Identify which CAPsMAN interface belongs to which AP [SOLVED]

/caps-man provisioning add name-format=identity
by karlisi
Fri Feb 15, 2019 1:11 pm
Forum: Scripting
Topic: Contribute backup script to FTP [SOLVED]
Replies: 2
Views: 1147

Re: Contribute backup script to FTP [SOLVED]

Sometimes it's good to have configuration export too:
/system backup save name=$filename password=xxxxx
:delay 3s
/export file=$filename
by karlisi
Mon Feb 11, 2019 10:52 am
Forum: RouterBOARD hardware
Topic: Mikrotik Poe Cascading
Replies: 6
Views: 1740

Re: Mikrotik Poe Cascading

We have in some sites RB260GSP -> RB951Ui-2HnD -> RB951Ui-2HnD chained, somewhere 2 chains on one switch, without problems for more than 3 years. From my experience RB951 power consumption is about 130mA on boot, about 95mA when booted, so theoretically we can put such chains on all 4 outputs.
by karlisi
Fri Feb 08, 2019 2:54 pm
Forum: Beginner Basics
Topic: Cloud Router Switch administration [SOLVED]
Replies: 11
Views: 2092

Re: Cloud Router Switch administration [SOLVED]

Use one of combo ports for connection to PC.
Do You see device in Winbox? Try to connect using MAC address.
https://i.mt.lv/cdn/rb_files/1539897967 ... lus-qg.pdf
by karlisi
Fri Feb 01, 2019 2:34 pm
Forum: General
Topic: Winbox Urgent Suggestion
Replies: 15
Views: 2186

Re: Winbox Urgent Suggestion

i have the right to use a winbox version that is compatible with my OS
As the Winbox name suggests, it's a Windows Box.
by karlisi
Thu Jan 10, 2019 10:04 am
Forum: Beginner Basics
Topic: Noob firewall question - being brute forced
Replies: 7
Views: 1328

Re: Noob firewall question - being brute forced

If I understand correctly these could be commands I'd need to use after adding all WAN addresses to a custom contacts list MyContactList?(I replaced RDP /w TCP as per @mkx comment and used 8.8.8.8 as server IP for this example) Do I need to use the WinBox software to execute this or can I do it fro...
by karlisi
Fri Dec 28, 2018 3:47 pm
Forum: RouterBOARD hardware
Topic: RB750 Aluminum Electrolytic Capacitor SMD need replacement
Replies: 3
Views: 1366

Re: RB750 Aluminum Electrolytic Capacitor SMD need replacement

If there is j not capital J after 330, then it is 330uF 6.3V 105*C
by karlisi
Thu Dec 20, 2018 4:31 pm
Forum: Beginner Basics
Topic: Strange UDP Packet to 81.198.87.240 [SOLVED]
Replies: 1
Views: 1051

Re: Strange UDP Packet to 81.198.87.240 [SOLVED]

# nslookup cloud.mikrotik.com
Name: cloud.mikrotik.com
Address: 81.198.87.240
by karlisi
Fri Dec 14, 2018 10:19 am
Forum: General
Topic: Feature request: CAPsManager - roaming
Replies: 80
Views: 33748

Re: Feature request: CAPsManager - roaming

The project requirements for WiFi4EU are:
(..)
support IEEE 802.11r
(..)
But unfortunately Microtik does not meet the requirements.
We also wanted to participate in this project to extend our infrastructure. It seems, EU money will go to another company. Perhaps Mikrotik don't need this money?
by karlisi
Thu Dec 13, 2018 9:46 am
Forum: Wireless Networking
Topic: cAP ac: Alternative brackets
Replies: 5
Views: 1788

Re: cAP ac: Alternative brackets

Can you clarify about the cable not bending enough to fit into the wall? I just don't see the issue. Subject: 19.0 What is the Minimum Bending Radius for a Cable? According to EIA SP-2840A (a draft version of EIA-568-x) the minimum bend radius for UTP is 4 x cable outside diameter, about one inch. ...
by karlisi
Tue Dec 11, 2018 2:05 pm
Forum: Beginner Basics
Topic: Router Optimization
Replies: 7
Views: 2945

Re: Router Optimization

I hope you have also some rules to protect the router from attacks, not only those shown, and your router isn't transferring any malicious traffic too. IMHO it's enough to have 1 rule instead of 3 in forward chain, not needed to specify ports /ip firewall filter add action=fasttrack-connection chain...
by karlisi
Tue Dec 04, 2018 10:28 am
Forum: General
Topic: Tls host not work
Replies: 9
Views: 7354

Re: Tls host not work

It works, at least on 6.42.10
You should remove port, leaving only tls-host. And this rule must be before 'accept established, related' rule.
by karlisi
Thu Nov 22, 2018 10:40 am
Forum: General
Topic: don´t upgrade last version MKT1100AHx2
Replies: 1
Views: 606

Re: don´t upgrade last version MKT1100AHx2

What's in the log?
by karlisi
Tue Nov 20, 2018 2:00 pm
Forum: Beginner Basics
Topic: MIkrotik backup script
Replies: 4
Views: 1365

Re: MIkrotik backup script

I would have added Year :)
It wasn't in OP requirements ;)
by karlisi
Tue Nov 20, 2018 10:10 am
Forum: Beginner Basics
Topic: MIkrotik backup script
Replies: 4
Views: 1365

Re: MIkrotik backup script

Something like this? :local filename; :local date [/system clock get date]; :local name [/system identity get name]; :local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","no...
by karlisi
Wed Nov 07, 2018 4:42 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 5636

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

Not related to VPN problems, but /ip firewall rules are not in optimal order. In input chain put allow established, related rules on top.
by karlisi
Wed Nov 07, 2018 4:36 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 5636

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

Try this
/ppp profile
add dns-server=192.168.90.254 local-address=192.168.90.254 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
by karlisi
Wed Nov 07, 2018 3:45 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 5636

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

It's very hard to guess what is wrong only from video and screens. Can You post output from /export hide-sensitive ?
by karlisi
Tue Nov 06, 2018 10:01 am
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 3384

Re: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

I don't think they overlap and I would implement Dude, Splunk and, in place of Cacti, Zabbix.
Dude for management and very basic monitoring but it can do more.
Splunk (I am using it's alternative Graylog) for log collecting, log analyzing and alerting.
Zabbix for monitoring, graphing and alerting.
by karlisi
Thu Oct 25, 2018 4:39 pm
Forum: General
Topic: Redirect request by source IP in a scenario with Server Microsoft (DC)
Replies: 3
Views: 918

Re: Redirect request by source IP in a scenario with Server Microsoft (DC)

For domain-joined workstations it is mandatory to have AD aware DNS servers configured. If You will configure DNS server on them, which knows nothing about AD, it will break domain authentication.
by karlisi
Wed Oct 24, 2018 10:30 am
Forum: Beginner Basics
Topic: Mikrotik as a switch with wifi
Replies: 8
Views: 3471

Re: Mikrotik as a switch with wifi

Try this
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n frequency=2422 name=wlan2.4 \
ssid=NETGEAR48 mode=station-pseudobridge
by karlisi
Thu Sep 20, 2018 2:34 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 136002

Re: Winbox vulnerability: please upgrade

would check firewall rules for unsafe entries on every upgrade
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?
Everything outside default protection rules. It should be only warning, nothing else.
by karlisi
Thu Sep 20, 2018 12:41 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 136002

Re: Winbox vulnerability: please upgrade

In some cases Windows 10 forces user to restart computer not letting to do anything else. It's almost the same, except if user wants to sit and look at smth like "You must restart Your computer to finish important update" forever. It's offtopic, imho. Mikrotik should not change upgrade to ...
by karlisi
Fri Sep 14, 2018 12:14 pm
Forum: General
Topic: NAT Setup: Access from internal network is OK, but from internet show mikrotik login page
Replies: 1
Views: 908

Re: NAT Setup: Access from internal network is OK, but from internet show mikrotik login page

First, it's not good to open all webserver's ports to whole world. dst-nat rules should be something like this chain=dstnat action=dst-nat to-addresses=192.168.89.254 to-ports=443 protocol=tcp dst-address=2.184.70.46 dst-port=443 log=no chain=dstnat action=dst-nat to-addresses=192.168.89.254 to-port...
by karlisi
Wed Aug 29, 2018 10:57 am
Forum: Wireless Networking
Topic: CAPsMAN - can't get 5GHz band on wAP ac to work [SOLVED]
Replies: 15
Views: 8846

Re: CAPsMAN - can't get 5GHz band on wAP ac to work [SOLVED]

See the CAPsMAN configuration below. The wAP ac has only ever been configured as CAP using the button. To me the configuration looks fine, and I'm not seeing any errors (such as "no supported channel"). But I'm new to CAPsMAN, probably I'm missing something obvious? [admin@MikroTik] /caps...
by karlisi
Tue Jul 31, 2018 3:10 pm
Forum: General
Topic: MT Forum problems (posting/upload)
Replies: 4
Views: 1476

Re: MT Forum problems (posting/upload)

After posting, a white screen is shown instead of the usual next screen.
However, the posting appears when reloading the forum.
It's fixed, nice
by karlisi
Tue Jul 31, 2018 9:53 am
Forum: Beginner Basics
Topic: Troublesome Firewall rule (NAT?)
Replies: 6
Views: 1332

Re: Troublesome Firewall rule (NAT?)

Perhaps it's a typo, in text you have 10.0.0.155, in NAT rule IP is 10.0.0.55 Remove from NAT rule src-port=8082 and add in-interface=your-wan-interface (or dst-address=your-wan-ip) to it. And, you don't need this firewall rule, except, if you are blocking all tcp ports in forward chain (unlikely). ...
by karlisi
Mon Jul 30, 2018 10:48 am
Forum: General
Topic: problem accessing the mikrotik VM
Replies: 1
Views: 518

Re: problem accessing the mikrotik VM

You can log in from VM management.
BTW version 6.38.3 is vulnerable to at least 2 threats, consider to upgrade, more on https://blog.mikrotik.com/security/
by karlisi
Mon Jul 16, 2018 11:44 am
Forum: General
Topic: How do i access mikrotik, i forwarded the only service port (winbox) to an nother ip by accident [SOLVED]
Replies: 3
Views: 969

Re: How do i access mikrotik, i forwarded the only service port (winbox) to an nother ip by accident [SOLVED]

If You can access router physically and know IP address from which it is accessible, connect it directly to Your computer, set on computer this (wrong) IP address and that's all. If not, ask ISP, sorry.
by karlisi
Fri Jul 13, 2018 3:28 pm
Forum: General
Topic: Automatically upgrade CAPs MIPSBE over CAPsMAN ARM
Replies: 2
Views: 1904

Re: Automatically upgrade CAPs MIPSBE over CAPsMAN ARM

Upload mipsbe package to RB3011.
Configure CAPsMAN accordingly (change path if needed)
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
That's all. The upgrade process will start immediatelly, all CAPs will restart as a result.
by karlisi
Wed Jul 11, 2018 8:45 am
Forum: Beginner Basics
Topic: Connecting routers through POE ports
Replies: 4
Views: 1289

Re: Connecting routers through POE ports

Seems like it's quite possible to have two units daisy-chained (even using PoE injector), but not more. I can confirm this, we have daisy chained two RB951Ui-2HnD and two hAP in many places. On startup they are consuming from power unit about 150mA each, so, perhaps 3 units chained are acceptable, ...
by karlisi
Wed Jul 11, 2018 8:22 am
Forum: General
Topic: PPTP question [SOLVED]
Replies: 3
Views: 1169

Re: PPTP question [SOLVED]

It means someone trying to get in. These messages are written for every attempt, successful or unsuccessful. For unsuccessful authentication typically there are no additional messages (default configuration). If authentication was successful, there should be message like 'username logged in'.
by karlisi
Tue Jul 10, 2018 10:51 am
Forum: Beginner Basics
Topic: How specific do you make your FW rules?
Replies: 4
Views: 1230

Re: How specific do you make your FW rules?

I have from 9 to 60 rules on different sites, it depends. 30 rules for 2 WANs is not so much, I think.
by karlisi
Fri Jul 06, 2018 2:42 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 45599

Re: Winbox v3.16 released!

Hello everybody,
Faton
Start new topic, please! This is for problems with Winbox v3.16 only!
by karlisi
Wed Jul 04, 2018 10:32 am
Forum: Wireless Networking
Topic: CAPsMAN very bad performance
Replies: 2
Views: 2472

Re: CAPsMAN very bad performance

Try a different channel.
Or better, let the CAP choose the channel and to avoid conflicts with other devices set reselect channel every 1 minute
/caps-man channel
add band=2ghz-g/n reselect-interval=1m name="ch 2"
by karlisi
Fri Jun 22, 2018 12:30 pm
Forum: General
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 27303

Re: The security flaw for Hajime is closed by the firewall

maybe it infected the backup file ?
Do you restored from .backup file not from configuration backup (.rsc file)?
by karlisi
Wed Jun 13, 2018 3:58 pm
Forum: Beginner Basics
Topic: Windows Domain Controller blocked by Mikrotik firewall?
Replies: 9
Views: 2684

Re: Windows Domain Controller blocked by Mikrotik firewall?

Your AD DC IP is 192.168.0.200 and have DHCP server on it? If so, why to use DHCP on Mikrotik? 2 DHCP servers in one network is a big mess. Disable DHCP server and DHCP relay on Mikrotik and use Windows DHCP. Configure it properly to give Windows DNS server address as only DNS server for clients. Re...
by karlisi
Mon Jun 11, 2018 5:15 pm
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 5518

Re: Capsman scheduler

And if you disable all provisioning rules by hand and execute provision on all radios, the interfaces are still there?
by karlisi
Mon Jun 11, 2018 1:20 pm
Forum: General
Topic: MT Router honeypot.
Replies: 20
Views: 4269

Re: MT Router honeypot.

This can be fun :) I suggest to forward the log to some syslog server, for some analysis later.
by karlisi
Mon Jun 11, 2018 8:39 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 5518

Re: Capsman scheduler

Are you sure your APs are managed by CAPsMAN? Are they on /capsman interface ?
by karlisi
Fri Jun 08, 2018 8:33 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 5518

Re: Capsman scheduler

Post export from /capsman provisioning and /capsman configuration please.
by karlisi
Tue Jun 05, 2018 11:14 am
Forum: RouterBOARD hardware
Topic: CRS317 vertical operation? [SOLVED]
Replies: 3
Views: 1408

Re: CRS317 vertical operation? [SOLVED]

There are heat pipes inside the case to transfer heat to external radiator. There is no fan on radiator and radiator ribs are designed for horizontal use of the case. You can use it vertically but it needs temp monitoring and perhaps some additional fan for external cooling.
by karlisi
Tue Jun 05, 2018 9:34 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 5518

Re: Capsman scheduler

So, something wrong with configurations included in these provisionings.
by karlisi
Mon Jun 04, 2018 2:19 pm
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 5518

Re: Capsman scheduler

Only the first enabled provisioning rule will be in effect, if no additional filtering parameters (hw-supported-modes, identity-regexp, etc.) are set. If you want to disable all 4 provisioning rules at once, try my scripts: /caps-man provisioning enable numbers=[find] :delay 1 /caps-man radio provis...
by karlisi
Mon Jun 04, 2018 10:34 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 5518

Re: Capsman scheduler

Try on first line
/caps-man provisioning disable numbers=[find]
And on second script too. This should disable and enable all configurations.
by karlisi
Wed May 30, 2018 11:05 am
Forum: Scripting
Topic: Capsman scheduler
Replies: 21
Views: 5518

Re: Capsman scheduler

You already have provisioning rules configured. Create these scripts and schedule to run them.

to enable
/caps-man provisioning enable 0    
:delay 1
/caps-man radio provision numbers=[find]
to disable
/caps-man provisioning disable 0 
:delay 1
/caps-man radio provision numbers=[find]
by karlisi
Wed May 23, 2018 2:13 pm
Forum: General
Topic: ICMP issue in src-nat
Replies: 2
Views: 946

Re: ICMP issue in src-nat

This is expected, src-nat works for outgoing packets from internal network to outside. To deliver packets from outside to internal network You need dst-nat rule.
by karlisi
Mon May 21, 2018 3:53 pm
Forum: Beginner Basics
Topic: What do i need to learn to become proficient quickly?
Replies: 20
Views: 3227

Re: What do i need to learn to become proficient quickly?

Strange link that was.
Perhaps, but I found it very useful. And it's from Mikrotik :)
by karlisi
Wed May 09, 2018 8:22 am
Forum: Virtualization
Topic: how to install chr on xen server
Replies: 1
Views: 2817

Re: how to install chr on xen server

I imported OVA package, went smooth.
by karlisi
Wed Mar 14, 2018 3:01 pm
Forum: The Dude
Topic: Is possible to analyze a network with PC with Windows and The Dude?
Replies: 1
Views: 1013

Re: Is possible to analyze a network with PC with Windows and The Dude?

No, You will need Windows for Dude client and one Mikrotik RouterOS device with dude package installed. It is not necessary to purchase Mikrotik hardware, if You haven't one. You can use CHR on virtual machine https://wiki.mikrotik.com/wiki/Manual:CHR
by karlisi
Fri Feb 16, 2018 10:11 am
Forum: Beginner Basics
Topic: Block websites http and https without Web Proxy / 100% works.
Replies: 17
Views: 19734

Re: Block websites http and https without Web Proxy / 100% works.

You can check this configuration, all IPs are Facebook IPs. Not exactly. Big names, as FB, Google, Microsoft, hosts their data on many data-centers worldwide, which hosts also data for many other organizations. By blocking their addresses, You will block all services from these IP, i.e., software u...
by karlisi
Thu Jan 25, 2018 8:35 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 110549

Re: v6.41 [current]

Could we expect that 6.40.5 will become "bugfix" or 6.40.6 with fixes from 6.41?

6.40.5 is the last with "old-known-bridge-implementation" technology and not all want to upgrade to "new-better-but-not-too-familiarized" one.
+1001
by karlisi
Mon Jan 22, 2018 9:08 am
Forum: Beginner Basics
Topic: How to block SSH attackers after 3 bad logins?
Replies: 21
Views: 15538

Re: How to block SSH attackers after 3 bad logins?

This will block ssh after 2nd time. To block after 4th time using this method, use 3 temporary stages and then add to blacklist. I made something like this, don't know if it's ok. I somebody try to ssh 4 times in 15 seconds, it will block him. What do you think? add action=drop chain=input comment=&...
by karlisi
Mon Jan 15, 2018 2:50 pm
Forum: Beginner Basics
Topic: How to block SSH attackers after 3 bad logins?
Replies: 21
Views: 15538

Re: How to block SSH attackers after 3 bad logins?

If You want to keep ssh wide open, this is working configuration to add some brute-forcers to blacklist. Then You can use this blacklist to fully block these addresses (be careful, You can block yourself too) or only block ssh and perhaps some other sensitive ports. add action=jump chain=input comme...
by karlisi
Fri Jan 12, 2018 10:26 am
Forum: General
Topic: capsman V2 package - cant find it to update my routerboard and Cap [SOLVED]
Replies: 1
Views: 1094

Re: capsman V2 package - cant find it to update my routerboard and Cap [SOLVED]

CAPsMAN v2 is included by default in latest routeros (both bugfix and current).
by karlisi
Wed Dec 20, 2017 4:55 pm
Forum: Wireless Networking
Topic: CAPsMAN with two SSIDs
Replies: 10
Views: 6340

Re: CAPsMAN with two SSIDs

Perahps try simpler configuration /caps-man configuration add channel=loader datapath=loader mode=ap name=cfg1 security=security1 ssid=loader-new add datapath=free mode=ap name=free-new security=security2 ssid=free-new /caps-man provisioning add action=create-dynamic-enabled master-configuration=cfg...
by karlisi
Wed Dec 20, 2017 10:26 am
Forum: Wireless Networking
Topic: CAPsMAN with two SSIDs
Replies: 10
Views: 6340

Re: CAPsMAN with two SSIDs

Try without specifying interfaces
by karlisi
Wed Dec 20, 2017 8:23 am
Forum: Wireless Networking
Topic: CAPsMAN with two SSIDs
Replies: 10
Views: 6340

Re: CAPsMAN with two SSIDs

It's impossible to see Your configuration from screenshots. Please post output from /caps-man export
by karlisi
Fri Dec 08, 2017 10:21 am
Forum: General
Topic: Using Splunk to analyse MikroTik logs
Replies: 104
Views: 34932

Re: Using Splunk to analyse MikroTik logs

Took little test yesterday. Great tool for log analysis. One big problem for free licence, no email alerts :(
by karlisi
Fri Nov 24, 2017 10:47 am
Forum: General
Topic: Tool: Realtime per IP traffic monitor for home/office
Replies: 291
Views: 354371

Re: Tool: Realtime per IP traffic monitor for home/office

Many thanks for this tool!
by karlisi
Fri Nov 24, 2017 9:41 am
Forum: Beginner Basics
Topic: Separation of traffic from different networks to different external addresses on 1 WAN port
Replies: 2
Views: 856

Re: Separation of traffic from different networks to different external addresses on 1 WAN port

You should have 2 IP addresses on WAN interface, then dst-nat like this add action=src-nat chain=srcnat out-interface=WAN src-address=10.1.1.0/24 to-addresses=1.1.1.9/29 add action=src-nat chain=srcnat out-interface=WAN src-address=10.2.1.0/24 to-addresses=1.1.1.10/29 Your example for example for ne...
by karlisi
Wed Nov 08, 2017 9:56 am
Forum: Wireless Networking
Topic: CAPsMAN manager can't manage its own wireless [SOLVED]
Replies: 20
Views: 32447

Re: CAPsMAN manager can't manage its own wireless [SOLVED]

Check discovery interface on CAP settings. Should be LAN interface.
by karlisi
Fri Nov 03, 2017 1:58 pm
Forum: General
Topic: DNS in mikrotik and DC on Windows Server
Replies: 4
Views: 10020

Re: DNS in mikrotik and DC on Windows Server

I understand why you want Mikrotik to be the second DNS server, but in Windows AD this is not good idea. You should configure Windows AD DCs as only DNS servers for your LAN. You can then configure Windows DNS to forward requests to your provider's DNS servers directly, or to Mikrotik. On Mikrotik u...
by karlisi
Mon Oct 30, 2017 10:04 am
Forum: General
Topic: Backup and restore Router OS
Replies: 1
Views: 661

Re: Backup and restore Router OS

Do not restore backup on another device. To transfer configuration to another device use export and import
https://wiki.mikrotik.com/wiki/Manual:C ... Management
by karlisi
Fri Oct 27, 2017 8:10 am
Forum: General
Topic: Article about new "Reaper" or "loTroop" Botnet
Replies: 6
Views: 2033

Re: Article about new "Reaper" or "loTroop" Botnet; lists Mikrotik as vulnerable

If You read carefully, these are issues not related to this attack, only can be potentially exploited (at least, Checkpoint thinks so). As said before in one of posts in this forum, if You are on latest versions of ROS, You are OK.
by karlisi
Thu Oct 12, 2017 11:04 am
Forum: Beginner Basics
Topic: forward chain: no packets go through [SOLVED]
Replies: 10
Views: 2581

Re: forward chain: no packets go through [SOLVED]

Which ports are in your bridge?
Also post nat rules.
by karlisi
Thu Oct 12, 2017 10:56 am
Forum: Wireless Networking
Topic: CAPSMAN + Guest WiFi
Replies: 16
Views: 14386

Re: CAPSMAN + Guest WiFi

Next time don't post sensitive data, like passwords, publicly.
Disable this nat rule and check if problem is resolved
add action=masquerade chain=srcnat out-interface=bridgeopen src-address=\
    10.35.0.0/24
  • 1
  • 2