Community discussions

MikroTik App

Search found 821 matches

by mutluit
Fri Feb 09, 2024 2:33 pm
Forum: General
Topic: Howto locate the parent address entry (subnet/range definition) of an IP ?
Replies: 3
Views: 350

Re: Howto locate the parent address entry (subnet/range definition) of an IP ?

I find it wrong to put the blacklist before the whitelist. First of all must pass the whitelisted IPs, then block the blacklisted IPs. Hmm. will check, thx. What do you think: isn't it then better to remove (delete) the blacklist (my list named "block") completely and instead keep just on...
by mutluit
Fri Feb 09, 2024 12:26 pm
Forum: General
Topic: Logs are not clear and how to block this IP address
Replies: 1
Views: 273

Re: Logs are not clear and how to block this IP address

In the logs, the IP address is displayed, which tries to connect I created two conditions in the rules as shown in the picture, but after that the logs are spammed with the following message anyway dstnat: in:ether1 out:(unknown 0), src-mac 88:90:09:fe:c4:6e, proto TCP (SYN), 80.94.95.227:54422->5....
by mutluit
Fri Feb 09, 2024 12:03 pm
Forum: General
Topic: Howto locate the parent address entry (subnet/range definition) of an IP ?
Replies: 3
Views: 350

Howto locate the parent address entry (subnet/range definition) of an IP ?

Howto locate the parent address entry (subnet/range definition) of an IP ? As is known, an IP can belong to an address entry in a list that is an address range or subnet definition. Such a "parent" address entry is blocking an IP. How to locate that parent address entry if only the IP is ...
by mutluit
Sat Dec 02, 2023 2:12 pm
Forum: General
Topic: Bug in firewall
Replies: 0
Views: 1865

Bug in firewall

MikroTik RouterOS 6.47.10 > /ip firewall filter > disable numbers=19,20 ; print ... 19 X chain=input action=accept 20 X chain=forward action=accept ... > enable numbers=20,19 ; print ... 19 I chain=input action=accept 20 chain=forward action=accept ... > enable numbers=19,20 ; print ... 19 chain=inp...
by mutluit
Fri Nov 03, 2023 6:48 pm
Forum: General
Topic: Router Upgrade causes network lockup
Replies: 5
Views: 1683

Re: Router Upgrade causes network lockup

Which RouterOS versions are affected?
by mutluit
Fri Nov 03, 2023 4:38 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624970

Re: Feature requests

We need wildcard searching (*) in address-list searches: [xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.3 [xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.0/24 [xxxxx@yyyyy] /ip firewall address-list> print where address=192.168.128 .* Flags: X ...
by mutluit
Fri Nov 03, 2023 4:09 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624970

Re: Feature requests

We need wildcard searching (*) in address-list searches: [xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.3 [xxxxx@yyyyy] /ip firewall address-list> add list=TEST address=192.168.128.0/24 [xxxxx@yyyyy] /ip firewall address-list> print where address=192.168.128 .* Flags: X -...
by mutluit
Tue Oct 31, 2023 4:09 pm
Forum: General
Topic: Question regarding TLS/SSL server certificates [SOLVED]
Replies: 2
Views: 728

Re: Question regarding TLS/SSL server certificates [SOLVED]

Have a look at the certificate details! It should have the domain mentioned in " subject alternative names ". You are right! My browser (Opera) does not show the alternate names, but the FireFox browser does. Indeed, there are many alt names listed. So, then everything is ok. Sorry for th...
by mutluit
Tue Oct 31, 2023 3:54 pm
Forum: General
Topic: Question regarding TLS/SSL server certificates [SOLVED]
Replies: 2
Views: 728

Question regarding TLS/SSL server certificates [SOLVED]

Hi, I hope this thread about TLS/SSL server certificates is not off-topic here b/c I saw other previous such threads here. I'm not an expert in such PKI certifcates, but I know it's to certify that the domain name (or IP) is valid/verified by the certificate issuer. But today I saw an IMO very funny...
by mutluit
Tue Oct 31, 2023 2:48 am
Forum: General
Topic: Routing distance not modifiable [SOLVED]
Replies: 4
Views: 888

Re: Routing distance not modifiable [SOLVED]

Smaller subnets always have priority over larger, distance is only used when there are multiple subnets of the same size. The static route (#5 of /ip route print ) looks incorrect - the gateway should be next hop address, not the interface: /ip route add dst-address=192.168.253.0/24 gateway=192.168...
by mutluit
Tue Oct 31, 2023 2:09 am
Forum: General
Topic: Routing distance not modifiable [SOLVED]
Replies: 4
Views: 888

Re: Routing distance not modifiable [SOLVED]

Routes to direct connected networks (the whole subnet of the assigned IP address of the interface) have a distance of 0, because they are just there at no distance, local to the interface. Dynamic, because that route is not defined in the config, but added because of the local IP address? Should al...
by mutluit
Tue Oct 31, 2023 1:36 am
Forum: Useful user articles
Topic: OpenWRT open source on MikroTik devices (hAP ac2 etc.)
Replies: 9
Views: 3018

Re: OpenWRT open source on MikroTik devices (hAP ac2 etc.)

@mutluit, the main issue is that the hAP ac3 doesn't appear to be supported... Many old supported routers can be purchased for almost nothing if one wants to try OpenWRT (all supported models are listed on the official site). Yes, you are right. I think it's just a matter of time till it gets suppo...
by mutluit
Tue Oct 31, 2023 1:12 am
Forum: Useful user articles
Topic: OpenWRT open source on MikroTik devices (hAP ac2 etc.)
Replies: 9
Views: 3018

Re: OpenWRT open source on MikroTik devices (hAP ac2 etc.)

Thank you for this thread. I am not a network pro but I am interested in trying OpenWRT on a hAP ac3. Some questions to start with: 1. What are your impressions? How does it compare to RouterOS? Pros and cons? 2. Does installing OpenWRT void the warranty of the device? 3. Is it possible to revert t...
by mutluit
Tue Oct 31, 2023 12:28 am
Forum: General
Topic: Routing distance not modifiable [SOLVED]
Replies: 4
Views: 888

Routing distance not modifiable [SOLVED]

Hi, I have these routing settings in ROS v6 (there is no bridge/switch, rather all ports are independent): [XXXXX@YYYYY] > /ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-AD...
by mutluit
Sat Oct 28, 2023 8:14 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1239

Re: Case Study: Disabling NAT and Firewall on LAN Routers

Your IPv4 standard for sure should include "east-west" security these days. What's that? GeoIP blocking? By default each of the 3 LAN's can just chit-chat with each other and that is not really a good plan... That's intended as all 3 LANs are just subsections of the same company, all in t...
by mutluit
Sat Oct 28, 2023 7:18 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1239

Re: Case Study: Disabling NAT and Firewall on LAN Routers

It will work, but it's a dumb design. Why is it a dumb design? Can I design something better? Of course, but nobody would design for free on a forum. Just tell us the main components of your design, ie. the general concept. I hope it doesn't include such overkills like VLAN, BGP, OSPF etc , or does...
by mutluit
Sat Oct 28, 2023 5:23 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1239

Re: Case Study: Disabling NAT and Firewall on LAN Routers

One can create such 3 LANs also on just 1 LAN router. Theoretically it should be possible to do that also on the WAN router, but such ISP WAN routers are mostly castrated "dumb" routers which usually don't allow to create more than 1 LAN, so doing it on a LAN router, after removing the bri...
by mutluit
Sat Oct 28, 2023 3:28 pm
Forum: RouterBOARD hardware
Topic: hAPax2 RAM size 1GB or 128MB ?
Replies: 18
Views: 3593

Re: hAPax2 RAM size 1GB or 128MB ?

Yes, I think this really happened :-( My ac2 has only 128 MB RAM. I think in that case the website always said 128 MB RAM but some users found that they bought a device that in reality had 256 MB RAM, then they bought more and it had 128 MB RAM indeed, and then they started complaining loudly. But ...
by mutluit
Sat Oct 28, 2023 2:33 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1239

Case Study: Disabling NAT and Firewall on LAN Routers

Case Study: Disabling NAT and Firewall on LAN Routers Let's say we have this scenario: Internet | -------------- | WR | -------------- | | | LR1 LR2 LR3 LAN1 LAN2 LAN3 Legend: WR=WANrouter, LR=LANrouter WANrouter IP: 192.168.0.254/24 (LAN0) LANrouter1 IP: 192.168.1.254/24 (LAN1), WANport 192.168.0....
by mutluit
Fri Oct 27, 2023 8:33 pm
Forum: Useful user articles
Topic: OpenWRT open source on MikroTik devices (hAP ac2 etc.)
Replies: 9
Views: 3018

Re: OpenWRT open source on MikroTik devices (hAP ac2 etc.)

At MUM few years I asked MikroTik about packages like in OpenWRT, Asus. They told "no". And years later they bring Docker. But can docker be used on such a small device like the hAPac2 ? As I understand it, docker requires much disk memory, 100+ MB or so, whereas such a hAPac2 has got onl...
by mutluit
Fri Oct 27, 2023 6:54 pm
Forum: Useful user articles
Topic: OpenWRT open source on MikroTik devices (hAP ac2 etc.)
Replies: 9
Views: 3018

OpenWRT open source on MikroTik devices (hAP ac2 etc.)

For more than 3 years I'm using 2 hAPac2 routers and am happy with them (I have also some more MT devices like some big switches). Just for fun today I installed the open source router software OpenWRT on one of the hAPac2, initially just in RAM only for just testing first. It works :-) It has a Web...
by mutluit
Thu Oct 26, 2023 11:57 am
Forum: General
Topic: VLAN Filtering和hardware offloading问题咨询(Consultation on “VLAN filtering” and “hardware offloading” issues)
Replies: 3
Views: 922

Re: VLAN Filtering和hardware offloading问题咨询(Consultation on “VLAN filtering” and “hardware offloading” issues)

i know this switch chip not support hardware offload when filtering bridge VLANs. What I want to ask is can I achieve MAC authentication for DOT1X when "vlan filtering = no" Not sure, but I guess it's possible. Maybe the following is worth a try to test basic functionality first: Accordin...
by mutluit
Wed Oct 25, 2023 6:59 pm
Forum: General
Topic: Simple Web Server to Host Simple Files [SOLVED]
Replies: 15
Views: 3998

Re: Simple Web Server to Host Simple Files [SOLVED]

Check this: https://mikrotik.xyz/mikrotik/mikrotik-hosting-docker/ Quote: " Web hosting with MikroTik and Docker Hub Containers Attention MikroTik enthusiasts! It’s time to explore the world of Containers! MikroTik’s implementation of Linux containers allows users to run containerized environme...
by mutluit
Wed Oct 25, 2023 1:29 pm
Forum: General
Topic: Improving / Optimizing RouterOS (speed, memory, disk)
Replies: 3
Views: 966

Re: Improving / Optimizing RouterOS (speed, memory, disk)

And why do you write it on the users forum, instead of sending your CV to Mikrotik?
RFC :-)
Ie. Request For public Comment first :-)
by mutluit
Wed Oct 25, 2023 12:59 pm
Forum: General
Topic: Improving / Optimizing RouterOS (speed, memory, disk)
Replies: 3
Views: 966

Improving / Optimizing RouterOS (speed, memory, disk)

Some years ago (2020) I saw an external backup tool that was extracting all the files from a RouterOS backup archive. I haven't used that tool since then, and I think it no longer works with newer ROS versions, haven't checked for any updates yet. But I still have the sample output of it from then, ...
by mutluit
Wed Oct 25, 2023 11:36 am
Forum: General
Topic: Missing in RouterOS firewall: counters [SOLVED]
Replies: 4
Views: 1072

Re: Missing in RouterOS firewall: counters [SOLVED]

I guess this doesn't help, right? I think proper solution would be for the count to be a property of the rule, so that we could have a way of obtaining only the count value (not an entire descriptive line which needs to be parsed to extract the count) I just now noticed how weird it shows thousands...
by mutluit
Wed Oct 25, 2023 3:15 am
Forum: General
Topic: Missing in RouterOS firewall: counters [SOLVED]
Replies: 4
Views: 1072

Re: Missing in RouterOS firewall: counters [SOLVED]

Is this what you're looking for?
/ip firewall filter print value-list stats
/ipv6 firewall filter print value-list stats
That's indeed what I mean! :-)
Already built-in, that's cool!
Thx
by mutluit
Wed Oct 25, 2023 2:53 am
Forum: General
Topic: Missing in RouterOS firewall: counters [SOLVED]
Replies: 4
Views: 1072

Missing in RouterOS firewall: counters [SOLVED]

The built-in firewall in Linux (iptables / nftables(nft)) has counters for each rule (--> see "iptables -L -n -v"). By this, one sees how many times each filter rule did match, which is also very useful when debugging the filter rules. In RouterOS (/ip firewall filter) this feature seems t...
by mutluit
Wed Oct 25, 2023 2:33 am
Forum: General
Topic: Downloading and uploading using scp
Replies: 6
Views: 1869

Re: Downloading and uploading using scp

The scp server in RouterOS lacks also wildcards in filenames.
by mutluit
Wed Oct 25, 2023 2:29 am
Forum: General
Topic: How is that possible at all: traceroute reports 2 hops with same IP
Replies: 5
Views: 985

Re: How is that possible at all: traceroute reports 2 hops with same IP

Think of how traceroute works. Next attempt will be with a TTL which is one higher. It could/will be the same answer again. The local traceroute should have seen it was already there with TTL=10. The path for TTL=11 could be one longer than the previous one (routes vary over time, as next hops can ...
by mutluit
Wed Oct 25, 2023 2:21 am
Forum: General
Topic: Diagnosing packet losses (TCP/IPv4) [SOLVED]
Replies: 1
Views: 1007

Re: Diagnosing packet losses (TCP/IPv4) [SOLVED]

This problem luckily solved.
It was caused by the uplink router (AVM FritzBox).
by mutluit
Wed Oct 25, 2023 1:53 am
Forum: General
Topic: Mysterious connections from Internet to LAN [SOLVED]
Replies: 11
Views: 1584

Re: Mysterious connections from Internet to LAN [SOLVED]

Hey @k6ccc, stop talking BS. All information was already given, you just lack to read it. Apply some logic instead of brute-force idiocy. Case is solved: it is the buggy uplink router of AVM: it simply has bugs when routing to more than one LAN. Ie. an ISP router for dumbos. Now after removing the 2...
by mutluit
Wed Oct 25, 2023 12:51 am
Forum: General
Topic: Mysterious connections from Internet to LAN [SOLVED]
Replies: 11
Views: 1584

Re: Mysterious connections from Internet to LAN [SOLVED]

Update:
It much looks like a routing bug on the uplink router (an AVM FritzBox "router" :-))...
by mutluit
Wed Oct 25, 2023 12:28 am
Forum: General
Topic: Mysterious connections from Internet to LAN [SOLVED]
Replies: 11
Views: 1584

Re: Mysterious connections from Internet to LAN [SOLVED]

Yes, it could be something starting from a device on your LAN. However until you post your configuration, we are only guessing. I just did "/ export file=my-export-all", and searched in that file for "192.168.253": there is nothing. Just tell me: how else will you be able to fin...
by mutluit
Wed Oct 25, 2023 12:07 am
Forum: General
Topic: Mysterious connections from Internet to LAN [SOLVED]
Replies: 11
Views: 1584

Re: Mysterious connections from Internet to LAN [SOLVED]

I don't have any port forwarding from the Internet to the LAN.
Does it mean the connection gets initiated from inside the LAN?

As said I have neither such a network 192.168.253.0 nor the said IP 192.168.253.3 .
Does this then mean that this IP is maybe internal on the router, ie. in ROS ?
by mutluit
Wed Oct 25, 2023 12:01 am
Forum: General
Topic: How is that possible at all: traceroute reports 2 hops with same IP
Replies: 5
Views: 985

How is that possible at all: traceroute reports 2 hops with same IP

How is that possible at all: traceroute reports 2 hops with same IP. Take a look at the last 2 hops : # traceroute 192.229.221.95 traceroute to 192.229.221.95 (192.229.221.95), 30 hops max, 60 byte packets ... 6 145.254.3.136 (145.254.3.136) 23.072 ms 13.877 ms 15.266 ms 7 145.254.2.189 (145.254.2.1...
by mutluit
Tue Oct 24, 2023 10:08 pm
Forum: General
Topic: Mysterious connections from Internet to LAN [SOLVED]
Replies: 11
Views: 1584

Mysterious connections from Internet to LAN [SOLVED]

Under "/ip firewall connection print" it shows some mysterious connections from Internet to an unknown LAN address 192.168.253.3. The list below is from the console dump (D) when in "print", b/c file=... creates just a an empty file (just some headers, but w/o these data). And: t...
by mutluit
Tue Oct 24, 2023 5:07 pm
Forum: RouterBOARD hardware
Topic: hAPax2 RAM size 1GB or 128MB ?
Replies: 18
Views: 3593

Re: hAPax2 RAM size 1GB or 128MB ?

A new problem: it seems ax2 does not have any USB port! Really? No mention of USB in the product specifications. The older ac2 has USB. I just wanted to "upgrade" my ac2 to this ax2. Correct, no USB on AX2. If you want USB and AX, then it's AX3. You'll also get the 'big ears' then. In all...
by mutluit
Tue Oct 24, 2023 4:36 pm
Forum: RouterBOARD hardware
Topic: hAPax2 RAM size 1GB or 128MB ?
Replies: 18
Views: 3593

Re: hAPax2 RAM size 1GB or 128MB ?

A new problem: it seems ax2 does not have any USB port! Really? No mention of USB in the product specifications.
The older ac2 has USB.
I just wanted to "upgrade" my ac2 to this ax2.
by mutluit
Tue Oct 24, 2023 4:26 pm
Forum: RouterBOARD hardware
Topic: hAPax2 RAM size 1GB or 128MB ?
Replies: 18
Views: 3593

Re: hAPax2 RAM size 1GB or 128MB ?

If I recall, AC2 or cap AC had such an occurrence (128 vs 256 Mb RAM), no ?
Yes, I think this really happened :-(
My ac2 has only 128 MB RAM.
by mutluit
Tue Oct 24, 2023 4:08 pm
Forum: RouterBOARD hardware
Topic: hAPax2 RAM size 1GB or 128MB ?
Replies: 18
Views: 3593

Re: hAPax2 RAM size 1GB or 128MB ?

Online shops have wrong information. There is only one version with Storage 128MB and 1GB RAM. Maybe an official answer by MikroTik would be good, b/c I remember to have read some old postings here where similar happened in reality with some old/other models. I rather would not like to experience s...
by mutluit
Tue Oct 24, 2023 3:48 pm
Forum: RouterBOARD hardware
Topic: hAPax2 RAM size 1GB or 128MB ?
Replies: 18
Views: 3593

hAPax2 RAM size 1GB or 128MB ?

Hi, it is advertised that the hAPax2 has 1GB RAM and 128MB storage size. But some online shops say it has only 128MB RAM. This is confusing. Are there really such different models of this hAPax2, or is rather the info at some shops/distributors simply incorrect? Here's an example of an online shop (...
by mutluit
Mon Oct 23, 2023 6:11 pm
Forum: General
Topic: Downloading and uploading using scp
Replies: 6
Views: 1869

Re: Downloading and uploading using scp

@mkx, your setup is really interesting. I too would like to attach a USB stick. How to configure it in RouterOS? And how did you create a RAMdisk in RouterOS? I still cannot upload any file via scp (it stalls, I've to do CTRL-C to abort scp). Upload and download via WebFig is ok, but I need it in sh...
by mutluit
Mon Oct 23, 2023 5:52 pm
Forum: General
Topic: Downloading and uploading using scp
Replies: 6
Views: 1869

Re: Downloading and uploading using scp

It is possible to scp single file ... just don't include the leading / on path to sorce file name. Example: scp username@router:flash/skins/default.json . And copying files to router works the same way ... without leading / in the destination path. Thx. Can you give an example for a new file on the...
by mutluit
Mon Oct 23, 2023 5:25 pm
Forum: General
Topic: Downloading and uploading using scp
Replies: 6
Views: 1869

Downloading and uploading using scp

Under Linux using the following command in shell it is possible to download all files from the router: scp -r -p -P 22 username@192.168.88.1:/ . Beware: there is a dot (.) at the end, meaning to save "here", ie. in current dir. It saves the files usually in a new subdirectory named "p...
by mutluit
Mon Oct 23, 2023 11:32 am
Forum: General
Topic: System Password
Replies: 2
Views: 814

Re: System Password

The above link is for ROS v7. In v6 they seem to be somwehere else.
B/c v6 has in WebFig under system a password as well.
The documentations are really a mess. One needs a handbook that explicitly says that it covers ROS version x.
by mutluit
Sun Oct 22, 2023 11:18 pm
Forum: General
Topic: System Password
Replies: 2
Views: 814

System Password

What is the System Password and when will it be used?
On my devices its empty. Only users have passwords defined.
On this doc page there is no info about it: https://wiki.mikrotik.com/wiki/Manual:System
by mutluit
Sun Oct 22, 2023 6:30 pm
Forum: General
Topic: Diagnosing packet losses (TCP/IPv4) [SOLVED]
Replies: 1
Views: 1007

Diagnosing packet losses (TCP/IPv4) [SOLVED]

I encounter packet losses on a hAPac2 router with RouterOS v7 with a minimally configured default setup (just done a fresh netinstall). When testing using ping, then there are many gaps in the " icmp_seq= " numbers in the ping output (it says " 70% packet loss "): # ping google.d...
by mutluit
Sun Oct 22, 2023 4:07 pm
Forum: General
Topic: Cannot flash Mikrotik hAP ac2 with netinstall-cli
Replies: 15
Views: 1614

Re: Cannot flash Mikrotik hAP ac2 with netinstall-cli

FINALLY SUCCESS! :-) I had attached the PC to the Ethernet port labeled "1" (ie. the WAN port) when using netinstall. But afterwards when using WINBOX.EXE one needs to attach the PC to the Ethernet port "2" !!! :-) Now I'm in the WINBOX.EXE pgm and trying to do what is necessary ...
by mutluit
Sun Oct 22, 2023 1:45 pm
Forum: General
Topic: Cannot flash Mikrotik hAP ac2 with netinstall-cli
Replies: 15
Views: 1614

Re: Cannot flash Mikrotik hAP ac2 with netinstall-cli

Since above the netinstall program of v6 had seemingly worked, I now used that program to install the image of v7: the installation worked, as before, but I can neither ping the device nor does "telnet devIP 80" work (just testing http), so winbox seems necessary, as before... but winbox g...
by mutluit
Sun Oct 22, 2023 1:09 pm
Forum: General
Topic: Cannot flash Mikrotik hAP ac2 with netinstall-cli
Replies: 15
Views: 1614

Re: Cannot flash Mikrotik hAP ac2 with netinstall-cli

How I run netinstall from Linux: From my notes (which are pretty much copy/paste from help page): wget https://download.mikrotik.com/routeros/[VERSION]//netinstall-[VERSION].tar.gz Extract it: tar -xzf netinstall-[VERSION].tar.gz Set IP on PC to 192.168.88.2/255.255.255.0 Run the tool: .//netinstal...
by mutluit
Sun Oct 22, 2023 12:47 pm
Forum: General
Topic: Cannot flash Mikrotik hAP ac2 with netinstall-cli
Replies: 15
Views: 1614

Re: Cannot flash Mikrotik hAP ac2 with netinstall-cli

The above attempt to netinstall ROS v6 + winbox hasn't succeeded :-( Now trying to netinstall the version 7 of ROS: It's very slow: it now sends for more than 5 minutes and still not finished... I think I'll abort and retry... I had given the "-i eth0" option. As next will try "-a IP&...
by mutluit
Sat Oct 21, 2023 10:23 pm
Forum: General
Topic: Cannot flash Mikrotik hAP ac2 with netinstall-cli
Replies: 15
Views: 1614

Re: Cannot flash Mikrotik hAP ac2 with netinstall-cli

-r really cleared all config, even default. Try again without that option since you are on Linux. Using winbox you would be able to log in via MAC. You can run it via Wine. Tried w/o -r but it didn't help. Yes, it seems winbox is indeed necessary, also said by the OpenWrt folks at https://openwrt.o...
by mutluit
Sat Oct 21, 2023 8:32 pm
Forum: General
Topic: Cannot flash Mikrotik hAP ac2 with netinstall-cli
Replies: 15
Views: 1614

Re: Cannot flash Mikrotik hAP ac2 with netinstall-cli

I just successfully installed using netinstall-cli by: 1) setting IP of PC to 192.168.88.3 (maybe this step is not necessary) 2) connecting device directly to the PC via the Ethernet cable 3) disabling the local firewall on the PC (iptables) 4) and issuing this command as root: ./netinstall -r -a 19...
by mutluit
Thu Dec 15, 2022 9:26 pm
Forum: General
Topic: address list auto-sync of IP changes of domain address
Replies: 15
Views: 2206

Re: address list auto-sync of IP changes of domain address

@sindy, UDP is a connectionless protocol, so just forget it. The problem is with TCP connections. I (and others) have made MikroTik and the forum aware of this serious and nasty issue by explaining the problem and suggesting even some solution steps. It's of course up to the MikroTik engineers wheth...
by mutluit
Thu Dec 15, 2022 7:59 pm
Forum: General
Topic: address list auto-sync of IP changes of domain address
Replies: 15
Views: 2206

Re: address list auto-sync of IP changes of domain address

Lots of discussion but what is a clear consistent useful path towards what I am assuming the issue to be. Issue = firewall address lists where done by domain name, can be innaccurate and fail if the domain name associated IP has changed within the TTL setting of the DNS used. Close?? Sounds similar...
by mutluit
Thu Dec 15, 2022 5:51 pm
Forum: General
Topic: address list auto-sync of IP changes of domain address
Replies: 15
Views: 2206

Re: address list auto-sync of IP changes of domain address

In RouterOS we need also an option for syncing the address w/o waiting for TTL expiration. This is clear. But here comes a problem, as already faced on PSN, every time you resolve DNS, it changes IP, even if you just checked it, and the previous IP do not accept connection from other IPs. What is r...
by mutluit
Thu Dec 15, 2022 5:36 pm
Forum: General
Topic: address list auto-sync of IP changes of domain address
Replies: 15
Views: 2206

Re: address list auto-sync of IP changes of domain address

Please do not useless quote anything for nothing... You changed the content of the initial post... Without obviously indicating what you changed... I think I forgot a punctuation, so I corrected it... :-) Anyway, what is not clear to you about my answer? On U.S.A. @ 3600 IN CNAME www.***.com www 36...
by mutluit
Thu Dec 15, 2022 5:07 pm
Forum: General
Topic: address list auto-sync of IP changes of domain address
Replies: 15
Views: 2206

Re: address list auto-sync of IP changes of domain address

Decrease TTL value on www.example.com DNS server. MikroTik update the IP based on TTL value given from DNS server. If the IP is updated more frequently than TTL, is who have configured the DNS that make the error. And since "start page" is a real domain, use www.example.com on examples an...
by mutluit
Thu Dec 15, 2022 4:23 pm
Forum: General
Topic: address list auto-sync of IP changes of domain address
Replies: 15
Views: 2206

address list auto-sync of IP changes of domain address

Hi, I have a little nasty problem with the firewall in RouterOS: If I add a domain address by name, like "www.startpage.com" (ie. not by IP), then if the underlying IP of that domain name changes in future then RouterOS does not sync its database, leading to connection error. I suggest to ...
by mutluit
Sun Dec 11, 2022 2:06 am
Forum: General
Topic: Does Paramount+ require IPv6 ? [SOLVED]
Replies: 11
Views: 1668

Re: Does Paramount+ require IPv6 ? [SOLVED]

Problem finally solved! IPv6 was not required. It just requires only a "recent" webbrowser, ie. ideally the latest version. Mine was a little bit old (Google Chrome v92). After updating to the latest v108 it now works fine. My Linux OS (Debian v9 "stretch") is a little bit old to...
by mutluit
Sat Dec 10, 2022 7:55 pm
Forum: General
Topic: Does Paramount+ require IPv6 ? [SOLVED]
Replies: 11
Views: 1668

Re: Does Paramount+ require IPv6 ? [SOLVED]

Thanks everybody. I now have managed to get IPv6 working, but... unfortunately it did not fix the said problem with this streaming site. :-( I would like to hear of other Linux users who can use it successfully. In the mean time I'll research the said "error code 3304" further on the net. ...
by mutluit
Sat Dec 10, 2022 2:56 am
Forum: General
Topic: Does Paramount+ require IPv6 ? [SOLVED]
Replies: 11
Views: 1668

Re: Does Paramount+ require IPv6 ? [SOLVED]

nslookup 8cb691e535702e64106a3948d54b901798889ee3.ipv6.cws.conviva.com Name: 8cb691e535702e64106a3948d54b901798889ee3.ipv6.cws.conviva.com Addresses: 2620:10b:7001:10::106 2620:10b:7002:14::108 2620:10b:7001:10::109 2620:10b:7002:14::107 domain 8cb691e535702e64106a3948d54b901798889ee3.ipv6.cws.conv...
by mutluit
Fri Dec 09, 2022 11:25 pm
Forum: General
Topic: Does Paramount+ require IPv6 ? [SOLVED]
Replies: 11
Views: 1668

Re: Does Paramount+ require IPv6 ? [SOLVED]

It doesn't seem likely that something would require IPv6 and wouldn't be able to work without it. Such service would be inaccesible to 2/3 users (global average). Yes, I agree. But then how to explain this bug? Yesterday it worked, today it no longer works, inbetween nothing here has changed. The o...
by mutluit
Fri Dec 09, 2022 11:21 pm
Forum: General
Topic: Enabling also IPv6 in RouterOS [SOLVED]
Replies: 2
Views: 953

Re: Enabling also IPv6 in RouterOS [SOLVED]

Using Winbox Check under system/packages then you should see ipv6 … enable this then reboot …
Thx, this worked, now having entries under /ipv6.
by mutluit
Fri Dec 09, 2022 10:14 pm
Forum: General
Topic: Enabling also IPv6 in RouterOS [SOLVED]
Replies: 2
Views: 953

Enabling also IPv6 in RouterOS [SOLVED]

Hello, on a MikroTik small router hAP ac^2 using RouterOS 6.47.10 that was long ago configured for only IPv4 (ie. IPv6 was explicitly disabled), I now need to enable also IPv6. Can someone please tell me where in RouterOS to start to make this change in the configuration? Under /ipv6 there is nothin...
by mutluit
Fri Dec 09, 2022 9:47 pm
Forum: General
Topic: Does Paramount+ require IPv6 ? [SOLVED]
Replies: 11
Views: 1668

Does Paramount+ require IPv6 ? [SOLVED]

Hi all, recently I subscribed to the streaming provider Paramount+ [........], and I was able to watch some films inside the WebBrowser. But today it no longer starts any of the films. It gives "error code 3304" . I asked their support, but they have, as usual with such streaming providers...
by mutluit
Sat Sep 18, 2021 4:17 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 2560

Re: Is my hAPac^2 dead?

The output from netinstall is correct for the linux version, now it just needs to see a device in etherboot. https://help.mikrotik.com/docs/display/ROS/Netinstall#Netinstall-Etherboot your PC and the device you wish to netinstall must be on the same layer 2 segment. less complexity is better for ne...
by mutluit
Sat Sep 18, 2021 4:09 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 2560

Re: Is my hAPac^2 dead?

I ve not used netinstall on a linux device so i can't tell if everything is correct or not... You could try as well other versions of netinstall ... Also held the reset button on the device while rebooting it For how long ? More than the default 20 seconds (and < 60s). I think I had not changed the...
by mutluit
Fri Sep 17, 2021 6:07 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 2560

Re: Is my hAPac^2 dead?

Try to Netinstall the device... Thx, downloaded this file for Linux: https://download.mikrotik.com/routeros/6.48.4/netinstall-6.48.4.tar.gz The description (I mean filename) implies that the .npk is within the archive, but it isn't, so I had to download also the file https://download.mikrotik.com/r...
by mutluit
Fri Sep 17, 2021 4:00 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 2560

Is my hAPac^2 dead?

Hi, I've 2 hAPac2 routers, but recently one stopped functioning, so I switched to the spare device, installed the backup etc. and it works fine. Now I've got some time and would like to diagnose what happened to the first device. It is not accessible via IP(s), nor via MAC (via WinBox). I did the &q...
by mutluit
Sun Mar 28, 2021 5:26 pm
Forum: RouterOS beta
Topic: Possible error in DNS canonical name handling
Replies: 7
Views: 2072

Re: Possible error in DNS canonical name handling

@msatter, as you already stated, with such cloud servers the underlying IP to a domain varies depending on the region/country etc. I'm getting this: :put [:resolve www.edn.com] 2.23.78.15 The question now is how to find the record that contains this IP, as it usually is not exactly the same IP but o...
by mutluit
Sun Mar 28, 2021 4:51 pm
Forum: RouterOS beta
Topic: Possible error in DNS canonical name handling
Replies: 7
Views: 2072

Re: Possible error in DNS canonical name handling

Address list uses resolved IP addresses (repeats resolving after DNS record TTL expires so it keeps IP address semi-uptodate) ... since ultimate destination is some akamai cloud address, it could be same IP address is whitelisted for some other domain. If you want to block according to FQDN, you ei...
by mutluit
Sun Mar 28, 2021 3:58 pm
Forum: RouterOS beta
Topic: Possible error in DNS canonical name handling
Replies: 7
Views: 2072

Re: Possible error in DNS canonical name handling

The CNAME is indeed the cause of this. Looking at Pi-hole it will block www.edn.com.edgekey.net if it is in a list used to block domains. They use Whitelisting and that will match the domain you type and will ignore blocking and you will access that domain. RouterOS DNS will resolve in one go, as i...
by mutluit
Sun Mar 28, 2021 2:48 pm
Forum: RouterOS beta
Topic: Possible error in DNS canonical name handling
Replies: 7
Views: 2072

Possible error in DNS canonical name handling

I'm using the DNS in my router (hAP ac^2 with RouterOS 7.1beta3). I'm by default blocking all outgoing (as well incoming) traffic, I do allow it only by explicitly adding the address to an "allow" list. This works fine, but today I experienced this funny problem: the address www.edn.com ge...
by mutluit
Tue Nov 10, 2020 7:35 pm
Forum: RouterOS beta
Topic: Why DNS-record updates not working?
Replies: 16
Views: 3707

Re: Why DNS-record updates not working?

So client first resolves the name to get address, and then it connects to that address. There's no direct relation between that, in a way that router can see (there goes your previous idea that router could check for connection failures). I think the problem in RouterOS can be solved as follows: af...
by mutluit
Tue Nov 10, 2020 6:57 pm
Forum: RouterOS beta
Topic: Why DNS-record updates not working?
Replies: 16
Views: 3707

Re: Why DNS-record updates not working?

There's no need to blame DNS server in RouterOS - that works as expected and is completely unrelated to your problem. The address list is something completely different, and it can not be use (reliably) the way you expect it. Maybe it's just an address list issue, not DNS. I'm using the address lis...
by mutluit
Tue Nov 10, 2020 5:01 pm
Forum: RouterOS beta
Topic: Why DNS-record updates not working?
Replies: 16
Views: 3707

Re: Why DNS-record updates not working?

But that is how things work. What do you think this should work like? After each connection failure, RouterOS should check whether the IP/domain is covered in its local DNS, and if yes, then check/verify whether its A record is still valid... Because: currently I have manually to do these 2 damn st...
by mutluit
Tue Nov 10, 2020 4:54 pm
Forum: RouterOS beta
Topic: Why DNS-record updates not working?
Replies: 16
Views: 3707

Re: Why DNS-record updates not working?

The domain has a time to live (ttl) of 299 seconds. RouterOS caches the record for this time, see / ip dns cache.
This is correct behavior and should not be changed.
But this is not user-friendly. I mean just think practically....
by mutluit
Tue Nov 10, 2020 4:37 pm
Forum: RouterOS beta
Topic: Why DNS-record updates not working?
Replies: 16
Views: 3707

Why DNS-record updates not working?

Hi, imagine this real scenario: for example the domain consent.youtube.com has one IP, but it changes often (like a dynamic IP, but I rather think YT changes the f*cking IP intentionally). When the IP changes then the DNS server in RouterOS still gives the old, now invalid, IP, which of course isn't...
by mutluit
Tue Nov 10, 2020 1:47 pm
Forum: RouterOS beta
Topic: Error: DNS adding domain name with Umlaut [SOLVED]
Replies: 10
Views: 2550

Re: Error: DNS adding domain name with Umlaut [SOLVED]

You have to use IDN encoding. Try this: xn--allestrungen-9ib.de
Thanks! This seems to work. But I wonder how to figure/decipher/decode/understand this.
by mutluit
Tue Nov 10, 2020 1:32 pm
Forum: RouterOS beta
Topic: Error: DNS adding domain name with Umlaut [SOLVED]
Replies: 10
Views: 2550

Error: DNS adding domain name with Umlaut [SOLVED]

Hi,
how do I add this domain name "allestörungen.de" to the DNS (into an allow list)?
The problem is: the domain name has an Umlaut ("ö"), but in the MiktoTik console it's not possible to type that character :-(
Has this been fixed in recent MiktoTik OS versions?
Thx
by mutluit
Sat Jul 18, 2020 1:51 am
Forum: Beginner Basics
Topic: hAP ac2 – slow transfer speed between vlans
Replies: 15
Views: 6286

Re: hAP ac2 – slow transfer speed between vlans

I too had experienced similar dropping performance problems with the same router. The reason was non-optimal firewall rules. After fixing it the performance came back to about 950 Mbps from previous about 250 Mbps. WAN/LAN as well LAN/LAN as well sameLAN. I would suggest to try the following rules a...
by mutluit
Sat Jul 18, 2020 12:48 am
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

But remember, MITM = bad. Whole point of HTTPS (or generally SSL/TLS) is to protect data, which includes preventing MITM. Client needs to be sure that it got exactly what server sent and nobody tampered with it. Or if someone did, client can detect it. When you do MITM, you take this away. Proxy us...
by mutluit
Fri Jul 17, 2020 10:03 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

Maybe a little bit off-topic, I apologize in advance, but just for the sake of completeness: Since the web proxy " privoxy " was mentioned many times in this thread: I just found some brand new important information regarding http s -traffic that says this: Privoxy now has the ability to a...
by mutluit
Fri Jul 17, 2020 7:25 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

Here's an example with URL https://www.tomshardware.com/ that explains my said method of "block all outbound by default": The log below is of the said web proxy privoxy (using "debug 512" in its config for this log format). Initially my firewall blocks it (code 503) as I haven't ...
by mutluit
Fri Jul 17, 2020 5:22 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

Privoxy cannot decrypt https, no. It cannot look in your HTML or in your URL. But then I wonder how this is then technically working. The proxy is in the middle, it is the one that connects to the remote. That's at least what I was assuming. So, then I wonder what happens next. Can you elaborate? T...
by mutluit
Fri Jul 17, 2020 5:06 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

@pe1chl, maybe we are talking of different things. I just mean for example the said proxy server privoxy. Do you mean it can't decrypt https? As I'm new to it, I really don't know; I just am thinking that it very well can decrypt HTML pages it gets via https. There are several forms of proxy methods...
by mutluit
Fri Jul 17, 2020 4:49 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

@pe1chl, correct me, but I think you are talking of two-way authentication via certs.
But I know of no public site where this is used, in 99+% only the server side is authenticated by the certs, but not the user side.
by mutluit
Fri Jul 17, 2020 4:35 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

MikroTik is not in this game as its layer 7 mechanism is a toy [because it cannot do decryption] so all https traffic cannot be inspected. Perhaps in the near future MikroTik will have a 3rd gen engine --- this is not a cheap en devour. That problem of encrypted traffic (https) is IMO easily solvab...
by mutluit
Fri Jul 17, 2020 3:39 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

You will have to live with the fact that makers of systems are moving more and more towards setups where a network administrator cannot filter or block the traffic! In the past, you could filter on port numbers, redirect traffic to some ports to other destinations (DNS port 53), peek in traffic to ...
by mutluit
Fri Jul 17, 2020 1:38 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

any proxy is generally very powerful because it actually processes the request (therefore it understands exactly what is being requested and returned) but https proxies are also serious security threat - for HTTPS or generally SSL encrypted traffic (nowadays majority of internet traffic) you need t...
by mutluit
Fri Jul 17, 2020 12:24 pm
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

Force the DNS resolver to a server you have under control and null the blocked domains out there. What about the proxies " privoxy " (http/https proxy) and " Pi-hole " (DNS proxy): can these be used for this problem? Privoxy I'm already using since a few days now, but haven't st...
by mutluit
Fri Jul 17, 2020 5:33 am
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Re: Traffic to blocked address still succeeds. Why? A bug?

@Sob, thanks for the explanation. I now see the underlying problem. You said "That's the problem with this kind of blocking." So, does this statement imply that there is (or even are) some other blocking methods possible for this problem case? I can force all clients to use the same one DN...
by mutluit
Fri Jul 17, 2020 2:55 am
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7824

Traffic to blocked address still succeeds. Why? A bug?

I have the address "android.clients.google.com" in the address-lists "deny" and "deny_nolog", and two firewall rules to drop all packets to all the IPs behind that address. Still, occassionally it happens that the blocking isn't working! Why? What's the reason? Btw. how...
by mutluit
Tue Jul 14, 2020 9:57 pm
Forum: RouterOS beta
Topic: Feature Request: show also "action" in log line
Replies: 0
Views: 983

Feature Request: show also "action" in log line

I'm currently working on the firewall and miss the fact that the log line does not show the action.
Of course one can add an own comment via log-prefix="...", but IMO it would be better if action=... would be printed by default in the log line.
by mutluit
Sat Jul 11, 2020 6:01 pm
Forum: General
Topic: Cant login after security measures
Replies: 3
Views: 1335

Re: Cant login after security measures

Hi everyone, I've just set up most of the security steps suggested en Mikrotik wiki https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#RouterOS_services Left ssh and winbox service, each one in differents ports ( not the standard ones ) . Works well yesterday but today I receive this messag...
by mutluit
Sat Jul 11, 2020 5:40 pm
Forum: General
Topic: Local domain with Mikrotik
Replies: 5
Views: 6025

Re: Local domain with Mikrotik

The problem I have is that they must specify the port to this url, thus leaving http://turno.sys :3010 I just want to type http://turno.sys and have mikrotik take care of indicating this port 3010 Use port 80 instead of 3010, then it will work. With other port numbers this cannot work. http uses po...
by mutluit
Sat Jul 11, 2020 11:07 am
Forum: General
Topic: Cannot download at 10 gbps [SOLVED]
Replies: 23
Views: 6961

Re: Cannot download at 10 gbps [SOLVED]

@benc1337, can you test also the performance of this setup on the router: 10G_MacbookPro <--> 10G_WAN(sfp-sfpplus1) <--> 10G_LAN(sfp-sfpplus2) <--> 10G_NAS It seems IP of WAN is missing. WAN and the LAN bridge should each have their own IPs [they then serve as the gateway address for the attached cl...
by mutluit
Fri Jul 10, 2020 9:36 pm
Forum: RouterOS beta
Topic: bug in beta8: firewall address-list in Webfig gets permanently sorted
Replies: 0
Views: 912

bug in beta8: firewall address-list in Webfig gets permanently sorted

Observed in beta8: This Webfig page http://192.168.88.1/webfig/#IP:Firewall.Address_Lists is permanently sorting the list. It's unnecessary, doesn't make any sense, and eats up CPU cycles. It should be re-sorted only if a change to the list happens. In my case I'm maintaining the list manually, ie. ...
by mutluit
Fri Jul 10, 2020 8:46 pm
Forum: General
Topic: Cannot download at 10 gbps [SOLVED]
Replies: 23
Views: 6961

Re: Cannot download at 10 gbps [SOLVED]

Normis, am I way off base here, or should I send you to jail??? ;-) LOL :-). Yes, you're off base. It's not the physical interfaces, but the number of data streams like TCP sessions that matters. Across the Internet, you don't need to have 10G to run into this; that's why things like BitTorrent and...
by mutluit
Fri Jul 10, 2020 8:27 pm
Forum: RouterOS beta
Topic: v7 and mellanox 100G connectX5 MT27800
Replies: 4
Views: 3090

Re: v7 and mellanox 100G connectX5 MT27800

any news about v7 supporting 100G port modules by mellanox connectX5 with chipset MT27800? I see on the speed interface configuration we can only choose 40gbps; any update on supporting also 100G cards? I saw offers of such 100G cards, even dual-port for about $390. The card uses PCIe 3.0 x8: https...
by mutluit
Fri Jul 10, 2020 7:48 pm
Forum: RouterOS beta
Topic: Feature Request: firewall: besides remote IP:port log optionally also its hostname
Replies: 2
Views: 1271

Re: Feature Request: firewall: besides remote IP:port log optionally also its hostname

I'm not sure if this should be done on the Mikrotik itself. Again wasting valuable cpu-cycles on this. If you have a large(r) infrastructure I don't think you are going to look at the logs through Winbox or Webfig but you are going to push these logs into something else (eg. Splunk) or some custom ...
by mutluit
Fri Jul 10, 2020 7:27 pm
Forum: General
Topic: Mikrotik CRS125-24G Speed Problem
Replies: 13
Views: 3825

Re: Mikrotik CRS125-24G Speed Problem

Folks, sorry, I'm suddenly having similar performance problems like the OP :-( I can swear I had about 950 Mbps download speed in the past, but now getting only about 250 Mbps :-( I don't know what the reason is, but suspect firewall and/or the latest beta8 I'm using. Update: hmm. I now remember I p...
by mutluit
Fri Jul 10, 2020 5:58 pm
Forum: General
Topic: Cannot download at 10 gbps [SOLVED]
Replies: 23
Views: 6961

Re: Cannot download at 10 gbps [SOLVED]

Maybe your firewall rules on your CCR are not optimal. See this posting for verifcation and fixing:
viewtopic.php?f=2&t=163454&p=805142#p805135
by mutluit
Fri Jul 10, 2020 5:39 pm
Forum: General
Topic: Mikrotik CRS125-24G Speed Problem
Replies: 13
Views: 3825

Re: Mikrotik CRS125-24G Speed Problem

Your Huawei Router is connected to what port? If it is connected to ether1 your CRS is not working as switch but additional router. Disable DHCP server, plug the Huawei Router to any other port and try again. Hmm. I would suggest to have each device have its own LAN, ie. 2 independent local IP netw...
by mutluit
Fri Jul 10, 2020 5:19 pm
Forum: General
Topic: Mikrotik CRS125-24G Speed Problem
Replies: 13
Views: 3825

Re: Mikrotik CRS125-24G Speed Problem

In the firewall your first two rules should be like these: /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" ...
by mutluit
Fri Jul 10, 2020 4:44 pm
Forum: RouterOS beta
Topic: Feature Request: firewall: besides remote IP:port log optionally also its hostname
Replies: 2
Views: 1271

Feature Request: firewall: besides remote IP:port log optionally also its hostname

The current format of logging is as follows ("R1" and "TEST" are user specified strings): Jul 10 15:15:02 192.168.xxx.xxx firewall,info R1: TEST forward: in:ether2 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.xxx.xxx:56620->137.xxx.xxx.xxx:443, len 52 It would ...
by mutluit
Fri Jul 10, 2020 4:12 pm
Forum: Beginner Basics
Topic: Proxy connect in log
Replies: 4
Views: 1431

Re: Proxy connect in log

I don't know the official answer, but I guess it just means the proxy has got the request (ie. the job, order, task) to connect to the specified remote site. You could do a small experiment by first connecting to an existing page of a site, and then attempting to connect to a non-existing page of th...
by mutluit
Thu Jul 09, 2020 10:44 pm
Forum: Beginner Basics
Topic: How to set uplink port on CRS305-1G-4S+? Why is POE not working?
Replies: 1
Views: 1088

Re: How to set uplink port on CRS305-1G-4S+? Why is POE not working?

2) I get very low speeds towards my NAS. It is as if the switch were using the ETH/Boot port as the uplink instead of the SFP+4 port. How do I tell the switch to only use ETH/Boot for management, and port SFP+4 for uplink to core switch? It surely is a routing problem. For an analysis at least the ...
by mutluit
Thu Jul 09, 2020 10:18 pm
Forum: RouterOS beta
Topic: Add RTL8125B driver request
Replies: 3
Views: 3281

Re: Add RTL8125B driver request

Indeed a very interesting piece of hardware. The CPU is 4C/4T:
https://ark.intel.com/content/www/us/en ... 0-ghz.html
by mutluit
Thu Jul 09, 2020 9:50 pm
Forum: RouterOS beta
Topic: Feature or Bugfix Request: ip firewall addess-list import shall not abort when dupe seen [SOLVED]
Replies: 4
Views: 2886

Feature or Bugfix Request: ip firewall addess-list import shall not abort when dupe seen [SOLVED]

Observed in beta8: Currently when importing addresses into "/ip firewall address-list" the import aborts with an error message when it sees a dupe address that already is in the list. This behavior of aborting the importing process is unnecessary, IMO even incorrect. It rather shall simply...
by mutluit
Thu Jul 09, 2020 7:01 pm
Forum: Beginner Basics
Topic: Proxy connect in log
Replies: 4
Views: 1431

Re: Proxy connect in log

Which device, which firmware & version, and what do you mean by "proxy log" and "proxy connect"?
Just post a sanitized excerpt from the log for analysis.
by mutluit
Thu Jul 09, 2020 6:17 pm
Forum: General
Topic: Web server is up, but not responding.
Replies: 5
Views: 2338

Re: Web server is up, but not responding.

It could be also an issue with the local firewall on the PC.
by mutluit
Thu Jul 09, 2020 12:03 pm
Forum: General
Topic: 50mbps down / 100 mpbs up wifi ac2
Replies: 5
Views: 1702

Re: 50mbps down / 100 mpbs up wifi ac2

The ac^2 has 2 bands: wlan1: 2.4GHz and wlan2: 5GHz
In my region wlan2 is about twice faster than wlan1.
Ie. you should test the wlan interfaces individually.
by mutluit
Wed Jul 08, 2020 8:46 pm
Forum: General
Topic: crs326
Replies: 1
Views: 581

Re: crs326

Any related entries in the log?
Maybe an heat issue. Check the temperature.
by mutluit
Wed Jul 08, 2020 8:33 pm
Forum: General
Topic: SMS receive 'allowed-number' multiple numbers [SOLVED]
Replies: 9
Views: 3698

Re: SMS receive 'allowed-number' multiple numbers [SOLVED]

The following gets accepted, but don't know whether it works in practice: /tool sms set allowed-number="+447xxxxxxxxx,+447xxxxxxxx" "/tool/sms print" says then: ... allowed-number: +447xxxxxxxxx,+447xxxxxxxx ... OTOH entering the numbers via the GUI interface one by one does the ...
by mutluit
Wed Jul 08, 2020 7:57 pm
Forum: General
Topic: Web server is up, but not responding.
Replies: 5
Views: 2338

Re: Web server is up, but not responding.

Maybe an issue with the web-browser. Try another one. Hmm. I see you already tried curl. Then it seems to be a firewall issue, IMO. Check the rules under "/ip firewall filter" etc. And if applicable also those under "/interface ethernet switch rule" for ACL rules. You can also ad...
by mutluit
Wed Jul 08, 2020 7:08 pm
Forum: General
Topic: Weird Routing problems [SOLVED]
Replies: 10
Views: 3314

Re: Weird Routing problems [SOLVED]

Please Nobody? Don't have experience with CapsMan. Without CapsMan I assign the wlanX a gateway IP, then the client can ping the others. Of course under DHCPServer / Networks one has to list the network(s) of the wlanX. If the client has more than one interface then maybe it's trying to go over the...
by mutluit
Wed Jul 08, 2020 6:54 pm
Forum: General
Topic: SFP+RJ10 - What am I doing Wrong??
Replies: 13
Views: 3077

Re: SFP+RJ10 - What am I doing Wrong??

The interface print doesn't show anything useful, what were you expecting??
I will try to play with this today and get the mac add answers for you.
"/interface print" should list all interfaces (etherX plus MACs, etc.).
Either you had a typo, or your device is totally broken.
by mutluit
Wed Jul 08, 2020 6:00 pm
Forum: General
Topic: SEPARATING TCP AND UDP ON EACH ISP
Replies: 1
Views: 1169

Re: SEPARATING TCP AND UDP ON EACH ISP

I have 2 ISPs, and my design is to have Load balance and failover config on my RB3011, the condition i made is this; TCP (Browsing) is going to ISP1 while UDP (which of course Streaming Videos) is going to ISP2 Which public streaming service uses UDP ? The three I know (youtube, netflix, amazon-pri...
by mutluit
Wed Jul 08, 2020 5:10 pm
Forum: General
Topic: Looking for address-list of google and amazon [SOLVED]
Replies: 0
Views: 1765

Looking for address-list of google and amazon [SOLVED]

Has someone an address-list of all IP-blocks of google and amazon? Update: Found a list and a generic method by querying the SPF records in DNS: All actual Google ipv4 and ipv6 adresses based on Google's SPF records: https://md5calc.com/google/ip Same method should be applicable with any such compan...
by mutluit
Wed Jul 08, 2020 3:51 pm
Forum: Beginner Basics
Topic: Open Access to TikApp
Replies: 6
Views: 2538

Re: Open Access to TikApp

How do i allow access to the box from lan without needs to port knock?
Grant access to the service for the allowed clients. There are many methods possible: firewall settings, services settings, user settings, depending on the port/service. You haven't stated what port or service it is.
by mutluit
Wed Jul 08, 2020 3:23 pm
Forum: Beginner Basics
Topic: Getting mixed speeds on CRS305-1G-4S+IN
Replies: 3
Views: 2545

Re: Getting mixed speeds on CRS305-1G-4S+IN

@saudkh, for such tests you should create a lab environment: unplug WAN, use static IPs, and connect the 2 PCs to the switch and do your iperf tests. For such a test your both PCs should better be in the same LAN. If it still doesn't work, then post your config: "/export hide-sensitive file=con...
by mutluit
Tue Jul 07, 2020 12:40 am
Forum: General
Topic: Performance Problem ?
Replies: 4
Views: 1415

Re: Performance Problem ?

Is your 10G interface listed under WAN? (/interface list member print)
Without seeing your config settings nobody really can help. One needs to see the settings of the involved interfaces, incl. all the involved IPs, as well the route table etc.
by mutluit
Tue Jul 07, 2020 12:36 am
Forum: General
Topic: export tool bug inquiry
Replies: 4
Views: 1404

Re: export tool bug inquiry

In the export tools there appears to be a bug in the Interfaces section. Some of the ports that were set for faster speeds than 100mbps get set to 100mbps. Is that something that has already been reported and is being looked into? Which device and which firmware version? Can the interface handle fa...
by mutluit
Sun Jul 05, 2020 2:35 pm
Forum: Scripting
Topic: Extracting last SMS number [SOLVED]
Replies: 9
Views: 3982

Re: Extracting last SMS number [SOLVED]

More research suggests /tool sms inbox get $i phone doesn't use the index so using my count - 1 method won't work . However `/tool sms inbox find` still returns nothing Try this: :global lastIx ([:len /tool sms inbox] - 1) :global lastNum [/tool sms inbox get number=$lastIx phone] :put $lastNum ......
by mutluit
Sun Jul 05, 2020 3:35 am
Forum: Scripting
Topic: Extracting last SMS number [SOLVED]
Replies: 9
Views: 3982

Re: Extracting last SMS number [SOLVED]

More research suggests /tool sms inbox get $i phone doesn't use the index so using my count - 1 method won't work . However `/tool sms inbox find` still returns nothing Try this: :global lastIx (:len [/tool sms inbox] - 1) :global lastNum [/tool sms inbox get number=$lastIx phone] :put $lastNum ......
by mutluit
Sun Jul 05, 2020 2:34 am
Forum: Beginner Basics
Topic: Basic bandwidth limiting
Replies: 14
Views: 3152

Re: Basic bandwidth limiting

The following CLI command limits both upload and download to 1Mbps for clients in LAN 192.168.128.0/24 behind ether3: /queue simple add name=myRateLimiting target=192.168.128.0/24 max-limit=1M/1M dst=ether3 with "print" you can see it with the other fields it has, for example: print Flags:...
by mutluit
Sun Jul 05, 2020 1:36 am
Forum: Beginner Basics
Topic: Use Hosting ip to my server for home Solutions?
Replies: 2
Views: 897

Re: Use Hosting ip to my server for home Solutions?

Is this for just a few select TCP/UDP ports, or do you rather want redirect/forward much more traffic to your home server(s)? If your home IP(s) is/are really static then that's an advantage, but then one wonders why you need the IPs from the hoster? Because you could just enter your static home IP ...
by mutluit
Sun Jul 05, 2020 1:17 am
Forum: Beginner Basics
Topic: All SFP+ traffic is routed across 1Gb ethernet
Replies: 3
Views: 870

Re: All SFP+ traffic is routed across 1Gb ethernet

Check your routes on that device ( /ip route print ).

Best is to issue the following command, and then download the file (export-hs.rsc) and post its content:
/export file=export-hs hide-sensitive
by mutluit
Sun Jul 05, 2020 12:45 am
Forum: General
Topic: Inbound SMS run script pass number [SOLVED]
Replies: 8
Views: 5811

Re: Inbound SMS run script pass number [SOLVED]

See https://shop.duxtel.com.au/article_info.php?articles_id=25 It says: RouterOS lists such modems as serial port that appears in '/port print' listing. The following command can be issued to send SMS: /tool sms send port=port dst-smsc=smsc message=message Example: /tool sms send port=usb3 "04X...
by mutluit
Sat Jul 04, 2020 6:22 pm
Forum: General
Topic: User restricted to serial login
Replies: 2
Views: 1063

Re: User restricted to serial login

I'm looking to create a user that can only login via the serial interface. (console port) I thought about setting its allowed address to 0.0.0.0/32. That should at least prohibit any IP connection attemps, right? Would this still allow MAC connections? We'll probably disable that, so that's fine. I...
by mutluit
Sat Jul 04, 2020 3:32 pm
Forum: General
Topic: Inbound SMS run script pass number [SOLVED]
Replies: 8
Views: 5811

Re: Inbound SMS run script pass number [SOLVED]

I'm trying to write a script so when the Mikrotik receives an SMS it runs the script, gathers some information from the Mikrotik, and then sends an SMS back to the number that sent the request. Is there any way to pass the phone number of the incoming message to the script so it can be used within ...
by mutluit
Sat Jul 04, 2020 3:14 pm
Forum: General
Topic: Weird perfomance! [SOLVED]
Replies: 8
Views: 2982

Re: Weird perfomance! [SOLVED]

For CRS3xx the docs say that currently HW Offloading is effective only on one bridge.
Not sure whether this applies to your CRS model(s) as well, so check the docs.
by mutluit
Fri Jul 03, 2020 11:43 pm
Forum: General
Topic: Hacking attempt from AVM WAN router to hosts in LAN ? [SOLVED]
Replies: 2
Views: 2259

Re: Hacking attempt from AVM WAN router to hosts in LAN ? [SOLVED]

The AVM Fritz devices use a check on port 80 to see if a PC has a web server running to show it in its web interface: The FRITZ!Box uses TCP port 80 to check regularly whether computers or other devices connected to the FRITZ!Box offer web services accessible over HTTP, such as a user interface. Th...
by mutluit
Fri Jul 03, 2020 10:57 pm
Forum: General
Topic: Hacking attempt from AVM WAN router to hosts in LAN ? [SOLVED]
Replies: 2
Views: 2259

Hacking attempt from AVM WAN router to hosts in LAN ? [SOLVED]

Hi, network security analysts, what do you make up of this? : I've activated logging for the default firewall rule that says in its comment field "defconf: drop all from WAN not DSTNATed". And in the log I find the following very suspicious entries. For orientation: the WAN router is an AV...
by mutluit
Fri Jul 03, 2020 4:06 am
Forum: Beginner Basics
Topic: What stops me from reaching the web interface?
Replies: 1
Views: 841

Re: What stops me from reaching the web interface?

You should post the output of:
/ip export hide-sensitive
by mutluit
Fri Jul 03, 2020 3:55 am
Forum: Beginner Basics
Topic: IP conflict on WAN interface
Replies: 1
Views: 807

Re: IP conflict on WAN interface

Check this:
https://wiki.mikrotik.com/wiki/Manual:Interface/PPPoE
"It is advised not to use static IP addresses or DHCP on the same interfaces as PPPoE for obvious security reasons."

verify with this:
/ip address print

or in GUI under IP / Addresses
by mutluit
Fri Jul 03, 2020 3:19 am
Forum: General
Topic: Port mode access on crs3xx ether type 0x88a8
Replies: 1
Views: 1043

Re: Port mode access on crs3xx ether type 0x88a8

Hello everyone, I'm trying to put a crs328 port in access mode and it doesn't work when ether type = 0x88a8 could someone help me with this situation? What is not working, what are the symptoms, which firmware and version? I myself don't use VLAN, but IMO it should be something like this: :global m...
by mutluit
Wed Jul 01, 2020 10:31 pm
Forum: General
Topic: Traffic Generator - Big vs small packets (strange) results
Replies: 7
Views: 2013

Re: Traffic Generator - Big vs small packets (strange) results

@dadox, can you briefly describe what is so puzzling for you? Update: ok, got it: you mean the difference between Tx and Rx packets in the 2nd table... Easy explanation: some "TCP resend" packets occured, that's IMO normal. Similar differences are present also in 1st table, maybe you overl...
by mutluit
Wed Jul 01, 2020 9:12 pm
Forum: General
Topic: Traffic generated by the switch doesn't respect VRF segregation
Replies: 4
Views: 1676

Re: Traffic generated by the switch doesn't respect VRF segregation

The whole point of a VRF is to have separate routing tables, different virtual routing instances. I am not fully into mikrotik way of thinking but this behavior sounds more like a bug to be honest... And my understanding is that this happens since router OS doesn't really use different routing tabl...
by mutluit
Wed Jul 01, 2020 8:08 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

Glad to see that @Diresta's problem of transparent port-forwarding within the same LAN has been solved by using iptables' port-forwarding function on the old server(s). It would have functioned also centrally on a Linux router with iptables as shown in posting #41 https://forum.mikrotik.com/viewtopi...
by mutluit
Tue Jun 30, 2020 11:13 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

No, it doesn't work here, though I haven't tried other ROS versions. Such a task should be doable centrally on a router or switch with just a few firewall rules, nothing more. You OTOH seem to say one needs to reconfigure the net. Never mind, I've seen enough and experienced enough. You clearly sti...
by mutluit
Tue Jun 30, 2020 10:56 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

@xvo, FYI: here's a solution using iptables on a linux router with a bridge. It reads "Port forwarding between bridged interfaces": https://askubuntu.com/questions/720207/port-forwarding-between-bridged-interfaces It's a similar problem-case: moving services from one host to another host ...
by mutluit
Tue Jun 30, 2020 9:33 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

But you have to admit that it's not satisfactorily if it works as wished/intended from other LANs and WAN, but not from inside the same LAN. One has to question why ROS can't handle that, don't you agree? I would classify that as a bug, or at least as a shortcoming or as a missing capability... And...
by mutluit
Tue Jun 30, 2020 7:29 pm
Forum: Beginner Basics
Topic: Improve my set-up (extend WiFi and host a server)
Replies: 2
Views: 985

Re: Improve my set-up (extend WiFi and host a server)

ISP ===> Router in the attic ===> hAP lite 1 (office) ===> hAP lite 2 (living room) 2. Make the web server on my main PC accessible from outside (I want to host a Foundry VTT game) For the above you need to find out the port number(s) (0 to 65535) and their protocol (tcp, udp etc.) [ie. in your cas...
by mutluit
Tue Jun 30, 2020 6:54 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

The problem with RouterOS seems to be that port-forwarding using DNAT/SNAT within the same LAN seems not possible. In my experiments here so far port-forwarding in ROS works only for clients from other LANs as well from the WAN side, but not from inside the same LAN. It's not a RouterOS problem. Ac...
by mutluit
Tue Jun 30, 2020 12:22 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

@Diresta, which RouterOS version does your device have? And can you post the output of this: /interface export hide-sensitive And: together with the new servers will also the old servers be online at the same time during the transition phase? If yes, and if your servers do have iptables, then you co...
by mutluit
Tue Jun 30, 2020 6:36 am
Forum: General
Topic: Intermittent timeout when trying to ssh or webfig into CRS328
Replies: 1
Views: 842

Re: Intermittent timeout when trying to ssh or webfig into CRS328

Take 1 of the ports out of the bridge, give it an IP/mask (for example 192.168.128.254/24, ie. creating a new LAN 192.168.128.0/24), and attach a host to that port, and try ssh & webfig from that host to that new gateway IP (ie. login to the CRS via this new gateway IP). Of course with the above...
by mutluit
Tue Jun 30, 2020 3:40 am
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

I don't exactly understand what is that thing, that is working, for you have only one host on your LAN in your example. And even if there is a thing, and it is actually working, how is it supposed to continue to work after you put two hosts on one dumb switch?! These two hosts will connect to each ...
by mutluit
Tue Jun 30, 2020 3:29 am
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

@Sob, your solution is very interesting, but unfortunately in current beta8 it hangs in a loop so that the router reboots endlessly :-( I suspect it is the masquerade rule with src-addr and dst-addr equal. But if it works well with stable/long-term version than it could indeed be the solution for th...
by mutluit
Mon Jun 29, 2020 9:52 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

@xvo, "that thing..." gave me a good laugh. Might be a solution, but that will mean all clients will have to be reconfigured to point to WAN address and not internal address of server Hmm. yes, you are right. But I think that problem is solvable too. I'll check. Update: I now tested using...
by mutluit
Mon Jun 29, 2020 9:34 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

I don't exactly understand what is that thing, that is working, for you have only one host on your LAN in your example. And even if there is a thing, and it is actually working, how is it supposed to continue to work after you put two hosts on one dumb switch?! These two hosts will connect to each ...
by mutluit
Mon Jun 29, 2020 9:02 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

ATTN everybody! I now have found a solution. Will post it shortly. But it works only if no bridge is configured in RouterOS :-( Could be a ROS bug... Then how exactly did you create a Layer 2 Broadcast Domain if you configured no Bridge ? Just assign an IP to the router port, for example ether2: 19...
by mutluit
Mon Jun 29, 2020 8:38 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

Ok, here's the said solution: Solution for port forwarding for both WAN-to-LAN as well LAN-to-LAN (incl. inside same LAN): On my router (hAP ac^2 with RouterOS 7.0beta8) with no NAT (ie. as 2nd router) now the following solution works: IP of WAN interface (ether1): 192.168.254.253/24 IP of ether2 (i...
by mutluit
Mon Jun 29, 2020 8:23 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

ATTN everybody!
I now have found a solution. Will post it shortly. But it works only if no bridge is configured in RouterOS :-( Could be a ROS bug...
by mutluit
Mon Jun 29, 2020 6:21 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

@sindy, I'm looking for a solution for port-forwarding from lanIP1:port to lanIP2:port within the same LAN. Is there a solution available for this (simpler) problem?
Ie. connections to 192.168.88.12:8512/tcp shall be (on the router) redirected to 192.168.88.11:8511
by mutluit
Mon Jun 29, 2020 5:12 pm
Forum: General
Topic: LAN to LAN forwarding [SOLVED]
Replies: 63
Views: 21514

Re: LAN to LAN forwarding [SOLVED]

Port forwarding from wanIP:port to lanIP:port works.
What the OP wants to know is how to port forward from internal lanIP1:port to internal lanIP2:port .
Me too interested in the solution. :-)
by mutluit
Mon Jun 29, 2020 4:10 pm
Forum: RouterOS beta
Topic: beta8 bug: "scp" hangs
Replies: 0
Views: 923

beta8 bug: "scp" hangs

"ssh" login to the router (hAP ac^2) is ok. But copying a file from PC to the router using the "scp" command starts the copying, but it then hangs. On the router a temporary file name is created with size 0 bytes. (15:00:53) xxx@yyy:~/tmp$ scp -p22 test.rsc admin@192.168.127.254:...
by mutluit
Mon Jun 29, 2020 3:29 pm
Forum: Beginner Basics
Topic: Export / Import [SOLVED]
Replies: 4
Views: 2652

Re: Export / Import [SOLVED]

Via GUI you can do System/ResetConfiguration and specify the import script in the field "Run After Reset". But see also this thread for possible problems: https://forum.mikrotik.com/viewtopic.php?t=123656 Thank you very much - I will try in the next days :-) Regarding " problems &quo...
by mutluit
Sun Jun 28, 2020 6:28 pm
Forum: Beginner Basics
Topic: Export / Import [SOLVED]
Replies: 4
Views: 2652

Re: Export / Import [SOLVED]

I exported all data from my wAP #1, adapted the data inside the file and now I would like to import the data in my wAP #2 ... Is there any possibility to do it through the current/running setup on #2 or is there some need to reset #2 first and then to import afterwards ? Via GUI you can do System/R...
by mutluit
Sun Jun 28, 2020 5:52 pm
Forum: General
Topic: What network cards does RouterOS support?
Replies: 1
Views: 1616

Re: What network cards does RouterOS support?

Good afternoon. Please tell me the link to the page where i can find a list of network cards for stable work with RouterOS. What max speed do you mean? Is this intended for server or workstation/PC? For upto Gigabit Ethernet I think you can take any of the common ones in the market (HP, IBM, Dell, ...
by mutluit
Sun Jun 28, 2020 5:05 pm
Forum: General
Topic: Strange problem with Internet
Replies: 8
Views: 2423

Re: Strange problem with Internet

I couldn't find whats wrong and my ISP told us that everything is fine with the line. Asking around someone suggested me to use the following rules on mikrotik chain=forward action=change-mss new-mss=1418 passthrough=yes tcp-flags=syn protocol=tcp out-interface=ether11-wan1 tcp-mss=1419-65535 log=n...
by mutluit
Sun Jun 28, 2020 4:28 pm
Forum: General
Topic: Gateway issue?
Replies: 5
Views: 1934

Re: Gateway issue?

How many LANs do you have? Gateway functions upwards, not downwards. Since according to your drawing your server is connected to both routers, then it already must use two gateways. Just specify the IP of the router interface/bridge for each respective interface on the server. Normally such two rout...
by mutluit
Sun Jun 28, 2020 4:18 pm
Forum: RouterOS beta
Topic: beta5 bug: '/export verbose' hangs [SOLVED]
Replies: 10
Views: 5592

Re: beta5 bug: '/export verbose' hangs [SOLVED]

This error seems to be fixed in later versions. In 7.0beta8 it's not present (tested on router hAP ac^2).
by mutluit
Sun Jun 28, 2020 4:07 pm
Forum: RouterOS beta
Topic: beta5 bug: http Webfig downloading .txt files not working
Replies: 1
Views: 1378

Re: beta5 bug: http Webfig downloading .txt files not working

That same error is present also in 7.0beta8 (tested on router hAP ac^2).
by mutluit
Sun Jun 28, 2020 3:55 pm
Forum: RouterOS beta
Topic: beta8 bug: ACL redirect-to-cpu breaks bridge
Replies: 1
Views: 1297

Re: beta8 bug: ACL redirect-to-cpu breaks bridge

Error persist even when explicitly specifying "new-dst-ports=switch1-cpu", ie.:
add comment="redirect_all_traffic_to_cpu" ports=$myPorts redirect-to-cpu=yes switch=switch1 new-dst-ports=switch1-cpu disabled=no
by mutluit
Sat Jun 27, 2020 9:13 pm
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

Only now, as looking for the difference between your setup and mine, I have noticed that you are setting the rules using ROS 7.0beta8 - it can only be seen in the export header, you don't mention that anywhere in the text. On long-term (6.45.9), I've just tried the following rules: [me@MyTik] > int...
by mutluit
Sat Jun 27, 2020 9:06 pm
Forum: RouterOS beta
Topic: beta8 bug: ACL redirect-to-cpu breaks bridge
Replies: 1
Views: 1297

beta8 bug: ACL redirect-to-cpu breaks bridge

If one has as one of the very first switch ACL rules a "redirect-to-cpu all traffic" then the bridge stops functioning. Let's say bridge has own IP and has the members ether1, ether2, ether3, ether4. Then the following ACL rule will make the bridge inoperational so that attached PCs cannot...
by mutluit
Sat Jun 27, 2020 4:28 am
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

More insights:

Besides mac-protocol=arp also mac-protocol=ip has problems, as it does not map to its EtherType 0x0800.

This means one needs both the name variant as well the number variant when adding these rules into the rule table.

About the reasons one can only speculate...
by mutluit
Sat Jun 27, 2020 3:26 am
Forum: General
Topic: bridge filter CRS326
Replies: 6
Views: 2473

Re: bridge filter CRS326

Yes switch rules with new-dst-ports="" are working (packets successfully dropped), but this is ingress packets. I'm trying to block output packets. You can do that via src-address (IP address/Mask) Ie. via the mask you can cover all your LAN... See the ACL table in one of the links I had ...
by mutluit
Sat Jun 27, 2020 2:43 am
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

Open a ticket and send tech support a 'supout' along with your documented evidence and hopefully they will respond. My question is ,,,, will this 'bug' affect normal usage? I already did enough, made them aware of a severe bug and even located the bug. I'm not going to make any more. Enough is enou...
by mutluit
Sat Jun 27, 2020 2:19 am
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

New insights: Both are necessary! arp via name as well via number. Then this can only mean that "arp by name" uses another essential (undocumented) EtherType. Otherwise it does not make any sense, IMO. Unless there is a memory problem caused by "double free'ing", "use after ...
by mutluit
Sat Jun 27, 2020 1:05 am
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

@sindy, I understand, it's really mysterious. Here's another mystery to add to the confusion list: in my print list the rule #41 gets interpreted as another "802.2" though it has a totally different EthType (0x0008). The correct "802.2" has EtherType 0x0004 (rule #19 and #2 in th...
by mutluit
Sat Jun 27, 2020 12:49 am
Forum: General
Topic: L2 ACL on NetPower 16P via ROS
Replies: 2
Views: 1218

Re: L2 ACL on NetPower 16P via ROS

@kowal, take a look at this thread as there are some ACL examples:
viewtopic.php?f=2&t=162887
by mutluit
Fri Jun 26, 2020 11:47 pm
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

It's strange. On my hAP ac² (running 6.45.9), if I add the rule with mac-protocol=0x0806 , it is both print ed and export ed with mac-protocol=arp , i.e. the conversion seems to work both ways. So I don't get why in your case there is a difference in behaviour when you add it as "arp" and...
by mutluit
Fri Jun 26, 2020 11:00 pm
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

ATTN MikroTik developers & ACL users: After some lengthy testing, the error finally has been found! : The endian-error is with the mac-protocol "arp" (EtherType 0x0806). It can be an endian-error or a simple parsing error from the string "arp" to the right EthType numeric va...
by mutluit
Fri Jun 26, 2020 8:24 pm
Forum: General
Topic: Problem 10G CRS317-1G-16S+RM and SFP+ direct attach cable (S+DA0001, S+DA0003)
Replies: 10
Views: 3020

Re: Problem 10G CRS317-1G-16S+RM and SFP+ direct attach cable (S+DA0001, S+DA0003)

@nickkk, I can just suggest this: use iperf on PCs for performance tests, not the integrated traffic generators on the routers or switches as this creates additional CPU load which then is missing for the device itself to perform its routing/switching job. And: do the test first w/o VLAN, and on a s...
by mutluit
Fri Jun 26, 2020 7:22 pm
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

A wild guess here... there is a bug in the bridge filter rules, where the bytes in the 16-bit values of the ethertype field in the 802.1Q headers are swapped on some CPU architectures, and arm (which is the architecture of hAP ac²) is one of these whereas mipsbe is not affected by that; however, th...
by mutluit
Fri Jun 26, 2020 4:57 pm
Forum: General
Topic: Problem 10G CRS317-1G-16S+RM and SFP+ direct attach cable (S+DA0001, S+DA0003)
Replies: 10
Views: 3020

Re: Problem 10G CRS317-1G-16S+RM and SFP+ direct attach cable (S+DA0001, S+DA0003)

Is it true that two CRS317-1G-16S+RM devices are involved in this test? Why not testing on a single device first? If really two are involved, then they better should be in their own LAN (ie. IP should be something like 192.168.88.1/24 and the other should be 192.168.89.1/24). At least for the testin...
by mutluit
Fri Jun 26, 2020 2:54 pm
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

It seems there is a bug in ACL b/c I did use the "Tools / PacketSniffer" tool over interfaces=all, but all the mac-protocols it lists are already present in the ACL... Packet Sniffer runs on CPU, not hardware. You will need to temporarily disable hardware acceleration on the port(s) that ...
by mutluit
Fri Jun 26, 2020 1:17 am
Forum: General
Topic: i need help: Lost Vlan Admin HELP HELP
Replies: 1
Views: 1282

Re: i need help: Lost Vlan Admin HELP HELP

If multiple ports of it have IPs, just try to connect to each IP via Winbox or Webfig.
If possible also by connecting the PC to the right port, if the above step don't work.
by mutluit
Fri Jun 26, 2020 12:58 am
Forum: RouterOS beta
Topic: beta8: possible bug in switch rules (ACL)
Replies: 0
Views: 1113

beta8: possible bug in switch rules (ACL)

I encountered a possible bug with ACL usage: it is not possible to use a final rule which says "block all other". Details here:
viewtopic.php?f=2&t=162887
by mutluit
Thu Jun 25, 2020 11:58 pm
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

Re: ACL firewall problem (missing L2 EtherType)

I've now added all documented mac-protocols I could find in the wiki pages, ie. mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan) And the behavior is...
by mutluit
Thu Jun 25, 2020 9:08 pm
Forum: General
Topic: ACL firewall problem (missing L2 EtherType)
Replies: 17
Views: 6197

ACL firewall problem (missing L2 EtherType)

On router hAP ac^2 I monitored the traffic using "Tools / Torch" in the GUI and added all observed L2 EtherTypes via ACL into the rule table of the switch-chip. But as soon as I activate the last rule by setting disabled=no then Internet stops functioning. What other EtherType is highly li...
by mutluit
Thu Jun 25, 2020 6:31 pm
Forum: Beginner Basics
Topic: NAT WAN to subnet [SOLVED]
Replies: 9
Views: 3873

Re: NAT WAN to subnet [SOLVED]

On the router you can assign multiple networks to a port, yes. But how do you attach the end-user devices to that port? Surely you must be using a switch for this. But then the switch cannot handle such 2 networks, unless it's a managed switch and you can tell the switch the same that you told the r...
by mutluit
Thu Jun 25, 2020 5:40 pm
Forum: Beginner Basics
Topic: NAT WAN to subnet [SOLVED]
Replies: 9
Views: 3873

Re: NAT WAN to subnet [SOLVED]

It is simply impossible to have two /24 IP networks on the same router port (that's IP routing 101, first lesson :-)). Either use a separate router port for each, or change the mask from /24 to /21 for example, and attach a dumb switch to the router port and attach the end-user devices to that switc...
by mutluit
Thu Jun 25, 2020 2:54 pm
Forum: RouterOS beta
Topic: beta8 says "#error exporting /routing/policy/selection"
Replies: 0
Views: 1036

beta8 says "#error exporting /routing/policy/selection"

When doing /export in beta8 then there is a section in the output that says "#error exporting /routing/policy/selection"
Device: hAP ac^2 (ARM) upgraded from 6.47 to 7.0beta8 (development)
by mutluit
Thu Jun 25, 2020 4:29 am
Forum: Beginner Basics
Topic: Pool Segment diferent WAN
Replies: 7
Views: 2041

Re: Pool Segment diferent WAN

In posting #2 I gave you the answer: IP / DHCP Server in GUI.
by mutluit
Thu Jun 25, 2020 12:39 am
Forum: Beginner Basics
Topic: NAT WAN to subnet [SOLVED]
Replies: 9
Views: 3873

Re: NAT WAN to subnet [SOLVED]

It should work. But your device (PC?) must be attached to the right interface on the router... Can you ping the 192.168.5.21 from the router? From other PC? And what does "/ip route print" say? And what does "/interface print" say? It seems the problem is rooted in the fact that ...
by mutluit
Thu Jun 25, 2020 12:27 am
Forum: Beginner Basics
Topic: Pool Segment diferent WAN
Replies: 7
Views: 2041

Re: Pool Segment diferent WAN

Sorry im mean ISP(Internet providers).
Still doesn't make much sense in this context.
Are you meaning your own DHCP server for your LAN, or do you rather mean DHCP server of your ISP?
by mutluit
Wed Jun 24, 2020 11:48 pm
Forum: Beginner Basics
Topic: Pool Segment diferent WAN
Replies: 7
Views: 2041

Re: Pool Segment diferent WAN

Should be possible. Define 2 pools in IP/Pools, and assign each in /IP/DHCP Server to the wanted interface.
I don't know what you mean by "WAN", normally the interfaces "etherX" and "wlanX" are used for such assignments.
by mutluit
Wed Jun 24, 2020 11:12 pm
Forum: General
Topic: Ping Issue!
Replies: 13
Views: 3421

Re: Ping Issue!

For your PC the gateway should be the LAN IP of your router (or if the router interface where your PC is attached to has an own IP, then that IP).
For your router the gateway should be the IP of its uplink.
by mutluit
Wed Jun 24, 2020 10:02 pm
Forum: General
Topic: bridge filter CRS326
Replies: 6
Views: 2473

Re: bridge filter CRS326

@gklpnd, I have no experience with VRRP. I would suggest to experiment with a simple "normal" TCP traffic to/from a TCP port, for example by using an iperf server and a client. Then you will have gained more experience and can apply it to VRRP etc. All ACL rules have an implicit "acti...
by mutluit
Wed Jun 24, 2020 7:31 pm
Forum: General
Topic: bridge filter CRS326
Replies: 6
Views: 2473

Re: bridge filter CRS326

FYI: the traffic of ports that have Hardware Offloading enabled, does not pass thru the normal firewall locations ("CPU firewall"), but is handled within the " switch chip " using ACL rules . Ie. you should use ACL rules. There is also a rule which allows to " redirect-to-cp...
by mutluit
Tue Jun 23, 2020 10:20 pm
Forum: Wireless Networking
Topic: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw AP2
Replies: 11
Views: 3942

Re: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw

the router os is station mode. when I connect the router os by cable on my PC the ethernet light of the pc and the router lights up but winbox does not detect the router. the pc address is 192.168.88.6 through the browser I can't. What is the gateway IP address on your PC? It should be the IP of yo...
by mutluit
Tue Jun 23, 2020 4:53 pm
Forum: Wireless Networking
Topic: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw AP2
Replies: 11
Views: 3942

Re: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw

ok but currently my biggest problem is that i can't reset the access point. I tried several times the manual reset but it does not pass I also can't get access to the access point interface. is there a solution to recover my equipment? Have you also changed the IP of your PC to 192.168.88.9 for exa...
by mutluit
Tue Jun 23, 2020 2:00 pm
Forum: Wireless Networking
Topic: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw AP2
Replies: 11
Views: 3942

Re: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw

I want to extend the wifi in an area where there is no cable so I want to connect AP in station mode repeat the wifi Then you need to add AP functionality to the station as said via a virtual wlan3. But I think you cannot use the same SSID, you need to use a different one. But, it is also possible ...
by mutluit
Tue Jun 23, 2020 1:40 pm
Forum: Wireless Networking
Topic: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw AP2
Replies: 11
Views: 3942

Re: I WANT TO CONNECT 2 MIKROTIK AP RBwAP2nND WIRELESSLY AND DISTRIBUE WIRELESS INTERNET CONNECTIVITY FROM 2 nd AP RBw

It is possible to use both devices as APs, even if the 2nd is in station mode. To be able to wirelessly connect to the station, you need to add a virtual wlan (ie. wlan3) as "ap bridge" to it and configure it accordingly (with own SSID etc). Why do you need to operate 2 wireless routers in...
by mutluit
Tue Jun 23, 2020 1:28 pm
Forum: Beginner Basics
Topic: Using WLAN1 as WAN
Replies: 6
Views: 2292

Re: Using WLAN1 as WAN

@ge0rgi, as @CZFan also said, you can create or change the WAN port yourself in GUI / Interfaces / Interface List. Doing it in CLI is possible too.
by mutluit
Tue Jun 23, 2020 1:05 pm
Forum: Beginner Basics
Topic: Can I do one wlan nat & other wlan as AP for Airplay discovery
Replies: 10
Views: 2732

Re: Can I do one wlan nat & other wlan as AP for Airplay discovery

There are multiple solutions possible: 1) Give the WAN port an IP from the same subnet (192.168.0.y), disable NAT on hAP, connect the WAN port (usually ether1) of hAP to the other router, configure wlan so that it gives via DHCP IP addresses from the same subnet 192.168.0.z 2) Set the hAP into Bridg...
by mutluit
Mon Jun 22, 2020 9:17 pm
Forum: General
Topic: Forwarding UDP traffic to 2 destinations
Replies: 2
Views: 926

Re: Forwarding UDP traffic to 2 destinations

Normal iptables has a TEE target with which it is possible. Don't know if that's available also in RouterOS, but there was a discussion 4 years ago: https://forum.mikrotik.com/viewtopic.php?t=105166 Some MT router and switch models can mirror user-defined packets via ACL rules, but don't know whethe...
by mutluit
Mon Jun 22, 2020 8:04 pm
Forum: General
Topic: View configured static routes
Replies: 11
Views: 4914

Re: View configured static routes

Thanks - yes I am aware of the possibility to display this information using the CLI. My question was - is it possible using winbox?
Yes, IP / Routes in GUI. Those with "S" are the static ones, which also can be edited.
by mutluit
Mon Jun 22, 2020 7:45 pm
Forum: Wireless Networking
Topic: hAP ac^2: Q on passwords and wireless speed
Replies: 18
Views: 4105

Re: hAP ac^2: Q on passwords and wireless speed

Names I use are like
wAP1_2, wAP1_5, wAP2_2, wAP2_5, hAP_2, hAP2_5 for the 2.4 and 5 GHz radio's.
@bpwl, where do you define that? Is it the "Name" field on the wlan interface page, or a different field?
by mutluit
Mon Jun 22, 2020 7:23 pm
Forum: Wireless Networking
Topic: station bridge
Replies: 2
Views: 5140

station bridge

I can connect via wlan to an AP by setting the wlan to "station" or "station bridge" mode (both devices are MT hAP ac^2 with RouterOS v6.47). I wonder what the difference between "station" and "station bridge" is. What are the capabilities of these modes? When...
by mutluit
Mon Jun 22, 2020 7:07 pm
Forum: Beginner Basics
Topic: Can I do one wlan nat & other wlan as AP for Airplay discovery
Replies: 10
Views: 2732

Re: Can I do one wlan nat & other wlan as AP for Airplay discovery

Sorry, but I still don't think anybody understands what you really want to achieve.
Your question should be short and precise.
Sorry, I can't help as I don't understand the problem. Maybe someone else can help.
It's really frustrating to read such imprecise postings.
by mutluit
Mon Jun 22, 2020 6:53 pm
Forum: Wireless Networking
Topic: hAP ac^2: Q on passwords and wireless speed
Replies: 18
Views: 4105

Re: hAP ac^2: Q on passwords and wireless speed

Hi, I have same router and want to figure out one thing. What is Radio name? What value should it has? Should it be equal to MAC address? Yes, MAC of the other side w/o the colons, and only If two MikroTik wireless devices connect to each other. In other cases (for example if a smartphone connects ...
by mutluit
Sun Jun 21, 2020 1:11 pm
Forum: General
Topic: Wireless traffic counters
Replies: 3
Views: 1529

Re: Wireless traffic counters

Excellent. Thanks. It wasn't covered in the Wiki that I could find, although the CLI command you provided had occurred to me. It didn't work because I tried /interface wlan1 reset-counters which is wrong. A tip: in CLI you can press TAB at any valid location (ie. before or after a word) and it will...
by mutluit
Sat Jun 20, 2020 8:17 pm
Forum: General
Topic: Wireless traffic counters
Replies: 3
Views: 1529

Re: Wireless traffic counters

Is there any way to reset the Interface>>Wireless>>Traffic TX/RX bytes/packet/drops/errors counters such as can be done with the ETH and Bridge interfaces? In CLI you can do the following: /interface reset-counters wlan1 It seems in GUI it's not possible for wireless interfaces, or was forgotten to...
by mutluit
Sat Jun 20, 2020 7:47 pm
Forum: Beginner Basics
Topic: Open port 443 for a device on the LAN
Replies: 6
Views: 6490

Re: Open port 443 for a device on the LAN

I've figure out how to open the port broadly. Now when I go to yougetsignal.com it says the port is open. Just not sure how secure this is and if there's a better way? I set the Chain to input > Protocol TCP > Any. Port 443. The security must be provided by the service itself, ie. by the applicatio...
by mutluit
Sat Jun 20, 2020 7:26 pm
Forum: Beginner Basics
Topic: Basic config no internet no local network
Replies: 2
Views: 1339

Re: Basic config no internet no local network

Nowadays many applications don't work without Internet connection.
Having a local DNS server is good for caching, but it can't solve the problem since it too needs Internet connection to its uplink servers (ie. 8.8.8.8 etc. are in Internet).
by mutluit
Sat Jun 20, 2020 6:54 pm
Forum: Beginner Basics
Topic: I can't open ports
Replies: 4
Views: 2030

Re: I can't open ports

For easy understanding you better should make a drawing of your network. Since you seem to be using 2 routers, then it could be that you have a "Double NAT Problem". On which of the routers do you have NAT enabled? You should have NAT enabled only on the WAN router, and disable it on all o...
by mutluit
Sat Jun 20, 2020 6:00 pm
Forum: Beginner Basics
Topic: Use MikroTik as second router
Replies: 13
Views: 5125

Re: Use MikroTik as second router

If you can not set ISP router in bridge mode, you will have double NAT, but other than that, most stuff should work. I have a similar setup like the OP, but the difference is that I let only run DNS server and NTP server (time server) on the WAN router, everything else runs on the 2nd router. There...
by mutluit
Sat Jun 20, 2020 6:28 am
Forum: Wireless Networking
Topic: Please help me with my 14Km link. [SOLVED]
Replies: 3
Views: 2996

Re: Please help me with my 14Km link. [SOLVED]

https://en.wikipedia.org/wiki/Antenna_gain#Example_calculation Looks like some rocket science :-) See also https://www.simplewifi.com/pages/antenna-basics According to their table it seems for your 14km you need a "Parabolic Grid 24 dBi Directional Antenna", or better. But they also say &q...
by mutluit
Fri Jun 19, 2020 3:45 am
Forum: Wireless Networking
Topic: Connecting two LANs via two WLANs
Replies: 0
Views: 930

Connecting two LANs via two WLANs

I'll soon perform this WLAN experiment: connecting two LANs via two WLANs using basic IP routing (ie. w/o any tunneling): WLAN1(.132.254/24) WLAN2(.142.254/24) | | WAN1 --------- R1 R2 ------------ WAN2 | | LAN1(.131.254/24) LAN2(.141.254/24) Routers R1 and R2 are not cable-connected with each other...
by mutluit
Fri Jun 19, 2020 2:32 am
Forum: General
Topic: Network loop?
Replies: 6
Views: 7156

Re: Network loop?

You should post your config for analysis, ie in CLI:
/export hide-sensitive file=export-hs
and then see in /Files for the file...
by mutluit
Fri Jun 19, 2020 2:01 am
Forum: Beginner Basics
Topic: New to Mikrotik - Config Help FW
Replies: 12
Views: 4666

Re: New to Mikrotik - Config Help FW

It is already on the first post as attachment :D
Ok, I see.
But come on, man, are you joking? :-) This is a full-blown very complex configuration, not a basic/initial configuration.
Sorry, I'm out. Maybe someone else can take a look.
by mutluit
Fri Jun 19, 2020 1:53 am
Forum: Beginner Basics
Topic: New to Mikrotik - Config Help FW
Replies: 12
Views: 4666

Re: New to Mikrotik - Config Help FW

Which router do you have and which OS and version does it have?
If it has RouterOS then you should post the output of this CLI command:
/ip export hide-sensitive
by mutluit
Fri Jun 19, 2020 1:38 am
Forum: Beginner Basics
Topic: New to Mikrotik - Config Help FW
Replies: 12
Views: 4666

Re: New to Mikrotik - Config Help FW

To simplify things I would suggest to use two routers in series, then on the border router you would have NAT, and on the inner router disable NAT (and this step simplifies all the rest). Firewall chains: input: traffic destined to the router itself output: traffic from the router itself forward: th...
by mutluit
Fri Jun 19, 2020 1:23 am
Forum: Beginner Basics
Topic: Hardware advice, small company network
Replies: 4
Views: 1577

Re: Hardware advice, small company network

These are big infrastructure changes. IMO you better should consult a professional network consultant, preferably a MikroTik certified one. No, I'm not :-) Tell him/her also how fast your WAN link is, how your LAN is structured (#networks, #subnets), whether VLAN is used etc., ie. the usual things n...
by mutluit
Thu Jun 18, 2020 8:20 pm
Forum: General
Topic: Lan security
Replies: 5
Views: 1932

Re: Lan security

Dot1x is used when we have mikrotik switch .
Is there any solution When 30 clients are connected to a hub and the hub is connected to mikrotik router interface
So, you are concerned of security, but are using a hub (instead of a switch) for 30 clients?
What hub model is it?
by mutluit
Thu Jun 18, 2020 7:51 pm
Forum: Wireless Networking
Topic: What settings in WIRELESS will affect CAPSMAN
Replies: 2
Views: 1620

Re: What settings in WIRELESS will affect CAPSMAN

What settings in WIRELESS(command: /interface wireless) will affect CAPSMAN ?
Take a look at viewtopic.php?f=7&t=162494
There are the configs of both posted.
by mutluit
Thu Jun 18, 2020 5:35 pm
Forum: General
Topic: API Document for latest Router OS Version
Replies: 1
Views: 786

Re: API Document for latest Router OS Version

We are trying to integrate our Mikrotik router CCR1036-8G-2S+ with Bandwidth manager router of 24online server and they have requested us to provide them with API document of Mikrotik router of current router OS version any that is available. https://wiki.mikrotik.com/wiki/Manual:API It says "...
by mutluit
Thu Jun 18, 2020 5:22 pm
Forum: General
Topic: Mac Address Range
Replies: 1
Views: 1597

Re: Mac Address Range

Is there a way in the firewall to filter by a MAC address range? Say all the MAC addresses owned by Company X? At some locations in the config, like the ACL, one indeed can specify MAC/subnet, see for example https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Port_Security /interface ethe...
by mutluit
Thu Jun 18, 2020 5:06 pm
Forum: General
Topic: Join to multicast group
Replies: 1
Views: 882

Re: Join to multicast group

Search "MikroTik multicast"
See for example this: https://www.premitel.uk/consultancy/exp ... uterboard/
by mutluit
Thu Jun 18, 2020 4:53 pm
Forum: General
Topic: Lan security
Replies: 5
Views: 1932

Re: Lan security

1.Is there any way to limit dhcp server to assign ip for clients that are authenticated ,not all the clients that are physically connected? 2.If not is it possible to prevent connecting unknown computers to lan? Is mac filter the only way? 3.What about user manage? Is it possible to authenticat cli...
by mutluit
Thu Jun 18, 2020 4:16 pm
Forum: General
Topic: How can I find out the reason for NAK?
Replies: 5
Views: 2422

Re: How can I find out the reason for NAK?

Hi there. I faced a problem recently. SVI of my switch doesn't get IP-address via DHCP server on my Mikrotik 951Ui-2nD (6.42.1). Although it gets IP-address via ISC-DHCP server. I've watched the log but can't find the reason of NAK. How can I do that? P.S. Attached log from mikrotik. For analysis y...
by mutluit
Thu Jun 18, 2020 3:34 pm
Forum: General
Topic: RouterOS changed IP address association without input
Replies: 1
Views: 746

Re: RouterOS changed IP address association without input

I had similar encounters :-)
I've documented it here: viewtopic.php?f=2&t=162506&p=801039#p801039
by mutluit
Thu Jun 18, 2020 1:51 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

And about Quick Set, one should better not use it at all after any change done outside of it. Indeed, it was also the reason for the late wlan2 problem: the "/ip address" list was messed up: had 2 different gateway entries for ether2 . This happens if one tries on the QuickSet page to fix...
by mutluit
Thu Jun 18, 2020 2:56 am
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

Btw, a warning: one better should not use (ie. fill) the "Guest Network" entries under QuickSet as it again creates the bridge and puts all interfaces into it... :-) I just had tried it out, but since it didn't function I reverted everything back, but now it seems wlan2 is no more function...
by mutluit
Thu Jun 18, 2020 2:45 am
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

"Bridge1" is no router , it is functioning as a switch. There are no routing decisions in the switch Bridge1. Bridge1 is just another interface to the router, and for the router it fully replaces ether1,wlan1 and wlan2. The Bridge1/switch is making one single LAN (broadcast domain) with t...
by mutluit
Thu Jun 18, 2020 2:39 am
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

There were two configs. Original with individual interfaces and no bridge. And then exploring dead ends with bridge that did something, but no that much, because the main problem (missing gateway) was still present. I 'll rest my case. No more comments. This first model was made based on an earlier...
by mutluit
Wed Jun 17, 2020 8:26 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

SOLVED! Thanks @Sob! As he said in https://forum.mikrotik.com/viewtopic.php?f=2&t=162506&p=800866#p800866, entries under "/ip dhcp-server network" were missing. After adding it there and removing the bridge and reactivating DHCP pools for wlan1 and wlan2 (192.168.132.0/24 and 192.1...
by mutluit
Wed Jun 17, 2020 7:44 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

It's the client device that needs default gateway. When it gets config from dhcp, it would be: /ip dhcp-server network add address=192.168.254.0/24 gateway=192.168.254.253 <other options> But you don't have anything like that. Not that it's completely correct, because .253 is on this router, but as...
by mutluit
Wed Jun 17, 2020 7:25 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

@Sob, the DHCP server is only for wlan clients; all other devices have manually configured static IP and gateway (and DNS server etc.).

@bpwl, see bridge1 in routing table: ether1, wlan1, wlan2 use that for their routing decision, IMO. The bridge1 was added by ROS itself to the routing table.
by mutluit
Wed Jun 17, 2020 6:43 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

Where is default gateway for 192.168.254.x clients, don't they have any? If not, then 192.168.254.0/24 is all they can access, nothing else. This is the routing table. IIRC only record #4 was defined manually by me, the rest is auto-generated by RouterOS: [admin2@MikroTik-AP] > /ip route print Flag...
by mutluit
Wed Jun 17, 2020 6:39 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

I don't see addresses to be assigned to wlan1 and wlan2. As said in a prev posting, the gateway addresses for wlanX (.132.254 and .133.254) in my OP I had to remove for this latest partial-working solution (actually it didn't make any difference whether they continued existing or not). The wlan cli...
by mutluit
Wed Jun 17, 2020 6:10 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

Is there perhaps anything else you have in your config? Maybe posting the whole thing could help. Because none of the routers I have ever seen cared whether inteterface is ether or wlan, and I don't see why there should be any difference. Below is the "/export hide-sensitive file=export-hs&quo...
by mutluit
Wed Jun 17, 2020 5:33 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

or to continue ... Can a wlan1 device be pinged from the router itself or from another wlan1 device? And of course the reverse route must exist in the wlan1 device with router as gateway. Pinging wlan clients from all devices connected to the same subnet on ether1 (ie. 192.168.254.x) works, as well...
by mutluit
Wed Jun 17, 2020 3:50 pm
Forum: RouterOS beta
Topic: Feature Request For Centrally Handling All Authentication Failures
Replies: 2
Views: 1340

Feature Request For Centrally Handling All Authentication Failures

Proposal/FeatureRequest For Centrally Handling All Authentication Failures For Banning And/Or Executing A Script Each AuthFailure should be sent to an AuthFailureSystem similar to the firewall, but much simpler: add error-source=serviceId error-category=... error-code=... action=ban ban-duration=......
by mutluit
Wed Jun 17, 2020 2:53 pm
Forum: Scripting
Topic: How to get SrcIP address from PPTP Auth failure log?
Replies: 5
Views: 4886

Re: How to get SrcIP address from PPTP Auth failure log?

Any ideas how to get SRC IP from failed PPTP authentication parsing log files?
The IP is in the previous log line "TCP connection established from ..."
by mutluit
Wed Jun 17, 2020 2:04 pm
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

Your latest post indicates that indeed it's what @sob wrote: ... and if they have own firewalls, they must allow pings from other subnet. There is no firewall issue. As already said: etherX to etherY works w/o any problems with just default/automatic routing settings on the router, and firewall on ...
by mutluit
Wed Jun 17, 2020 6:50 am
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

I could achieve only a partial solution which allows to ping/connect to the wlan-client only from the WAN-side (ether1). For this to work I had to do these steps: 1.) Create a bridge "bridge1" and put WAN, (ether1), wlan1, wlan2 into it. 2.) Create an IP Pool for the DHCP Server with an IP...
by mutluit
Wed Jun 17, 2020 6:19 am
Forum: Scripting
Topic: Script for If enivorment = then do
Replies: 14
Views: 3382

Re: Script for If enivorment = then do

Hi It works just curios why this won't work inside system scripts work at the console if run as script use /import says invalid URL not sure how to debug that i assume it same URL it pull for from $configserver not sure why won't run as a script any suggestions? { :global provisionedstatus false :i...
by mutluit
Wed Jun 17, 2020 2:08 am
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

That's how IP subnets work. If you connect device with address 192.168.131.3 to any other interface than ether5, it can't work, because as the router sees it, any 192.168.131.x is connected to ether5 and it won't look for it anywhere else. Also, device looking for 192.168.131.254 won't succeed on a...
by mutluit
Wed Jun 17, 2020 1:37 am
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

Re: RouterOS illogical behavior with wireless interfaces [SOLVED]

If clients connected to wlan1 or wlan2 have this router (i.e. 192.168.132.254 or 192.168.133.254) as default gateway (or have routes to other subnets) and they answer pings from these subnets (it's not blocked by their firewalls), this tiny piece of config doesn't explain why it shouldn't work. Goo...
by mutluit
Wed Jun 17, 2020 1:01 am
Forum: General
Topic: RouterOS illogical behavior with wireless interfaces [SOLVED]
Replies: 31
Views: 8235

RouterOS illogical behavior with wireless interfaces [SOLVED]

On my router (hAP ac^2) with RouterOS v6.47 I'm using all ports as gateways for independent LANs. For this I removed the default bridge and made each port a gateway of its LAN, ie like this: /ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 192.168.254.253...