MikroTik

eguun

This error is already identified and was supposed to be fixed in 7.14
But it’s still ongoing.
Ideally MikroTik can provide an ETA on resolution

eguun

Thanks

Searching with the error message didn’t surface this announcement. Thanks for outlining it.

Yes, I also added this log rule earlier today … but felt like hiding dirt under the carpet.
Now I have some vote of confidence as the best workaround.
Thanks I feel less guilty

eguun

Hello Since 7.14, I am seeing these messages in the logs wireguardInterface: bK[REDACTED]=: Handshake for peer did not complete after 5 seconds, retrying (try 2) eventually followed by wireguardInterface: bK[REDACTED]=: Handshake for peer did not complete after 20 attempts, giving up I'm seeing thes...

eguun

Hi Normis,

I'm re-opening this:
I just updated to 7.14, but the error persists, although the error message is slightly different

failure: there was no content-length or transfer-encoding

Is there something I can provide you with in order to replicate?

Thanks

eguun

fantastic news, many thanks Normis!

eguun

Hello, since 7.13, my fetch script returns this error when fetching a webpage: "failure: ERROR parsing http: there was no content-length or transfer-encoding" This fetch script calls a page from an ethernet relay board in the lan. The device (ref: https://www.kmtronic.com/lan-ethernet-ip-8...

eguun

This AM i upgraded my CCR1009 from version 7.12.1 to version 7.13 now getting the following error when running a script Download from https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv to RAM FAILED: Fetch failed with status 206 The same script was working fine under 7.12.1 and earli...

eguun

Thank you, exactly what I was after

eguun

Dear all, I can't find specific details on AES hardware acceleration for the CCR1009 board I'm specifically interested to know what types of AES acceleration that product can do https://mikrotik.com/product/CCR1009-7G-1C-1SplusPC AES-GCM, AES-CTR, AES-CBC ? Here the table give details on AES acceler...

eguun

FYI, I'm still going through the router to check the conf. For closure (and if this can help other post readers in the future). With the VLAN filtering now activated in the bridge, now the command /interface bridge host print indeed displays the proper VID in front of the mac address. A different be...

eguun

Thanks anav to share to be fair, I indeed copied these flood scanner rules and others, but you'll see they were disabled. Your comments drive me to do what I pushed back "for later", which is to delete these rules that were disabled since a while now. It's an interesting approach to use th...

eguun

The anavIZED brought tremendous value, I'm sure sob was well aware of this way before me! Personally I would get rid of all the xtra firewal rules for anything other than the defaults plus what is essential for a working network (drop all icmp crap, raw crap, ddos crap, port scanning crap etc..........

eguun

I facepalmed too...

With that setting enabled, it now works as intended!
All these hours, while being one checkbox away from the desired outcome....

Many thanks for sticking with me through this process. I learned a lot.

eguun

Thanks anav, in my setup, I had not enabled the filtering on the bridge - this was something I found googling around, incl. in the post from your first response. I will try activating this and see if it makes a difference. Also, I have removed the ETH7 port as lan, thanks for spotting this. I unders...

eguun

I'm sadly reporting no tangible progress: I am still unable to get the VLAN access port to work, while the trunk works fine. I marked all these VLAN as lan, as recommended by your last post, ie: /interface list member add interface="vlan4(private)" list=LAN-Interfaces Following your advise...

eguun

Thanks, Good tip to go back to basics. Here's how/what I investigated: - vlans have proper dhcp settings that gets allocated just fine over the trunk. Which lead me to believe that both the bridge/vlan association and the dhcp address pool/vlan are working fine - I indeed disabled my arp- thingy, wi...

eguun

Thanks anav for you judgement and volunteering to act as middle man. I'm happy with that construct ... of course, should he opt for disclosing to you such essential piece of extremely personal information :) On your config, the big stuff I though diverging from my run were: 1- the VLANs I had were a...

eguun

Thanks for the message. Yes, that would indeed be a nive try for a home-lab. Your comment hits home as I'm using the mikrotik on dual-wan. No regret moving back the setting to loose. I can't otherwise comment much on config when it's secret. IMHO not the best way, you know, more eyes... Calling out ...

eguun

Thanks for these clarifications Maybe he's seen your point on strict/loose convincing enough ... I'm still googling without success what post/documentation I could have bumped into that drove me to change this parameter. I'm seeing specific use cases with Autonomous Systems way beyond my fairly basi...

eguun

here right now might be the the tipping point that spirals this thread out of control

eguun

Many thanks anav, I appreciate the effort and time. will need a bit of time to go through and digest. I can already share some lights on some points you wondered: - arp=reply-only is indeed done on purpose to prevent clients on the network with static IP - rp-filter=strict I don't know why I set thi...

eguun

Thanks, Yes, I understand is not simple. I can help simplify on the bridge front: there is only one bridge. The other 3 bridges are all disabled. FYI, 2 were for OVPN and one was for running tests. But all three are disabled, leaving only the one bridge from sample conf extract shared earlier. The i...

eguun

Hi Anav, yes, I understand your need and appetite to get the full picture ... even if I thought that my past extracts was sufficient. I'm not super comfortable sharing this full config publicly, even when redacting some parts manually. So, I will send to you per email the full config. For the sake o...

eguun

Hi, I'm still struggling to get this to work. My config below In short: the trunk works (which is the interface "LAN6(ETH7)"), but I don't manage to get access ports to work: no IP given when connecting to the ethernet interface. I'm expecting this config to allocate interface "LAN4(E...

eguun

Thanks very much Anav, First thanks for your time to respond something I can action upon. The big key I was missing was that a *single* bridge can achieve this. I was attempting to get 1 bridge per VLAN, and per-VLAN what ports are access/trunk ... which got me nowhere. Much thanks for this elegant ...

eguun

Hello, I'm unusually struggling to make a simple setup work: 4 ports, to be used as following - ether 1 is access port of VLAN 1 - ether 2 is access ports of VLAN 1 too - ether 3 is access port of VLAN 2 - ether 4 is trunk for VLAN 1 and VLAN 2 Would you be so kind to share a simple setup to meet th...

eguun

After a bit of (unsuccessful) testing, there doesn't seem to be possible to get fetch error message without using disk read/write. rextended your solution is still the best workaround, and I'll mark this as the solution. But it still remain damn painful to not have access on a simple variable of the...

eguun

I respect your faith in SSD ... but a small voice in my head will push me to attempt to get this running without disk access

eguun

Thanks It's very a interesting approach to isolate the code execution into a separate job, and monitor that job progress! I'll get my head around this and do some testing: I understand that within that job, the code is outputing the fetch to a file. I was keen to limit such disk access to preserve t...

eguun

Thanks for the contribution. Not having access to the error message that triggered the on-error only gets you so far. But on our topic at hand: the error message contains the redirect url. One cannot just guess it, or am I missing the bigger picture? How can one get that redirect url? What would be ...

eguun

Thanks,

can you please post some sample code to display the error message and or store that error message to a variable?

Thanks

eguun

I have looked around, The core issue is that when inside the "on-error" error catching, then there is no way to get the error message to parse it. This seems like a recurring issue raised by several forum threads already: How to retrieve error details inside the on-error clause: https://fo...

eguun

Dear community, To my surprise, the standard fetch tool in routerOS has no option to deal with following redirect. So I decided to enhance it by scripting a function that would loop x times the fetch, each loop with the url pointing towards the redirect provided by the previous iteration. My issue i...

eguun

This is absolutely great!

many thanks for having shared it

eguun

Thanks pe1chl,

yes, I understand makes sense that one has to maintain this hardcoded parameter.
But on the connection killing part, is this really important, or would these connection eventually die out?

Cheers

eguun

Update: I have experimented further, disabling a all ipsec policies and all nat and the issue dissapeared when I replaced the masquerade nat with srcnat. I kept masquerade replaced with srcnat and re-enabled all what I disabled, and the issue seems gone. So in short: your first advise to replace mas...

eguun

Thanks pe1chl,

I will work and test around these 2 areas: policies and GRE.

Maybe worth mentionning: my router is nated behind another gateway that owns the public IP.
So when I replaced masquerade with srcnat, the static IP I wrote was a private class IP
Do you think this could play a role?

Thanks

eguun

Thanks pe1chl, I'm not sure the effort invested in moving away from NAT to GRE is the solution to my issue at hand: If I disable all my nat (except the nat to internet), then I still face this issue detailed in the first post. So I'm doubtful that the nat itself is the cause of this misbehavior. You...

eguun

I experimented further: - I disabled srcnat, except the one for masquerading the lan to internet. - With the mikrotik router, I established an IPsec connection to the remote lan - (no traffic could go through from my lan since the srcnat rule was disabled) - When disconnecting the Ipsec tunnel, agai...

eguun

In the meantime, I experimented with changing from src-nat to marquerade and hardcoding the IP, it doesn't change the behavior unfortunatly: I'm still getting packet dropped from an internet stream when Ipsec disconnects from remote lan

doesn't work

eguun

Thanks, I will give it a try. I explored a bit the GRE setup further, and it seems I have no areas where to setup the DH group to use or the encryption algorithm (DES, 3DES, AES ...). I edited my post, but you already answered. By any chance, do you know if this is configurable? If yes, where to do ...

eguun

Hi pe1chl, thanks for your response, I understand your alternative to build a GRE tunnel (or IPIP). It could be easier indeed. I attempted exploring this first, but I'm not sure this is applicable: I don't control the remote gateway and it expects an IPSec connection (authentication in the form of I...

eguun

Hi All, Could you help me figure out why, when I disconnect my IPsec tunnel, I have existing connections to the internet that no longer receive traffic? Network diagram enclosed. Scenario / use case: 1- a user on the PC is having a skype call or follow a webinar with someone on the internet (or any ...

eguun

Thanks pe1chl, Indeed a workaround could be to have a script that is run pre-reboot to handle the following: - update the graph settings to write on disk every 5 minutes (or any shorter interval) - wait for at least that interval to secure one cycle of disk write - reset the graph settings back to t...

eguun

Hi, I am interested to save on disk some items just before reboot: for example the graph data. I am aware that we can set the graph to be saved at regular intervals. But this doesn't solve it really: 1- either the user sets a short interval (ie: 5 minutes) to secure a minimum data loss between last-...

eguun

Dear all, I have a succesfully running IPsec connectivity with several endpoints of several brands (ie: Mikrotik with MacOS, opnsense, Fritzbox ...). Sometimes my Mikrotik acts as server, sometimes as client. However each time, I notice that a few minutes before Ipsec IKE2 phase 1 expiry, the tunnel...

eguun

Hi, First let me congratulate you on your success, your efforts paid off :) If the router is rebooted, the counters will be back to zero. Any idea how to resolve this? On your counter-reset question: there is no way to alter this, it's a "feature" of mikrotik: all what isn't saved on flash...

eguun

Okay, at this stage, it's worth you ensuring the Nat & Firewall rules are aligned with your interface: ie that you didn't simply copy/pasted my text without changing interface names. Once done, you can add debug lines in the code to output some info in the logs or the console so you can follow-u...

eguun

Hi, Well the content of the script should be pasted into a blank script into System> Scripts You'll need to give this script a name a suggestion would be wan2DisableNatOnVolumeExcess Once you have saved your script under its name (for example wan2DisableNatOnVolumeExcess); then you'll need to run it...

eguun

Super guide, thanks floaty

Reported to work with release 6.47.6 that fixed that IKE xauth issue introduced with release 6.47.5

Thanks

eguun

There's no impact, just an annoying error message.

Okay thanks eworm

eguun

Same issue here.
Indeed I confirm the CCR router has no wireless antenna and is not managing AP, consequently I had disabled the wireless package)

What is the impact of this known issue?
Any advice?

Thanks

eguun

Thank you Sob, your message brings some level of comfort of seeing a positive outcome to this.

eguun

Thanks for the tip ... and the answer, much appreciated :) The forum might be my only option: my distributor was a small cornershop and is no longer in business after COVID. Is there a way I can get a "read receipt" from Mikrotik staff? And ideally a rough estimate whether this stands a ch...

eguun

Frankly I was expecting a bit more of response to this thread. Have I inadvertently bumped into an over-debated and touchy subject like having OpenVPN to support UDP? I searched the forums and googled around without results. I would very much like to have EC25519 implemented into the Mikrotik CCR fa...

eguun

Hi, as feature request, I would like mikrotik to have IPsec support of DH group 31 (EC25519) Diffie-Hellman group 31 is EC25519 (Elliptic Curve 25519) It's today the only undisputed secure Elliptic Curve algorithm. And several competitive product already supports it (pfSense, OPNsense, Fortigate ......

eguun

Hi, Could DH Group 31 be supported in IPsec please? Diffie-Hellman group 31 is EC25519 (Elliptic Curve 25519) It's today the only undisputed secure Elliptic Curve algorithm. And several competitive product already supports it (pfSense, OPNsense, Fortigate ...) It's absent from Mikrotik supported pro...

eguun

There is nothing easy you've missed. The post referred to by @msatter gives an idea how to calculate "yesterday" from "now" so that you could generate a match pattern for searching the log for lines whose timestamp contains the date. Thanks for clarifying, However in order to ge...

eguun

Do you know of a script that converts from epoch to mikrotik date / time? Not seen, but should not be to hard to make. Problem is that MT uses various from of date logging. * If log time is less than 24 hours (or is it from this date, not sure) it uses time only: 13:56:28 * Older logs with month an...

eguun

viewtopic.php?f=9&t=75555&p=790674&hilit=epoch#p790676

Not sure what to make of this post quoted here...
Would you mind elaborating?

eguun

Thanks,

indeed we can:
1- convert mikrotik date / time > epoch (this is inside your thread)
2- apply arithmetic to epoch
3- convert from epoch to mikrotik date time (I am unaware of the existence of such script)

Do you know of a script that converts from epoch to mikrotik date / time?

Thanks

eguun

This post is originally from 2013

It's 2020 and I'll be also interested to have a working solution

eguun

Hi, I'm unsuccessful at extracting logs earlier than same day, midnight Commands tried: These outputs all logs up to midnight of the day the script is run, doesn't go earlier /log print where time >([/system clock get time] - 1d)] /log print where time>([/system clock get time] - 24h) This outputs n...

eguun

Unfortunately rollbacks are not so easy with /export info (it is not a matter of loading a previous version, you would have to reset without defaults which means you can only do that from a tool that allows MAC-level connection e.g. winbox on the local network) but usually one wants to see what has...

eguun

I think it is to be expected. Not only for "undo" but also because it is just a dump of binary configuration as it is now. Just like memory in your computer or a dump of a disk, it will include old items that have only some "deleted" bit set but not the actual content erased. As...

eguun

Anyone having a view on this?

is having .backup files bloated with past steps a feature or a bug?
If a feature, can this be deactivated to reduce the filesize?

eguun

I made some further digging, it seems SSH holds more nuances than I initially thought. In short there are 2 channels how to type commands for SSH: through a shell (classic login) through exec channel (passed as an ssh binary argument) And although the output looks identical to an user standpoint, th...

eguun

Dear Community, turning to you again in face of an issue where I ran out of leads My goal is to ssh-exec to a cisco switch a simple command, to output the switch status: "show system" My use case/interest is to capture the output of that command into a variable to be processed into a scrip...

eguun

Support was quick to reply, and asked a few steps, including to add debugging in log output: /system logging add topics=ssh I had deleted the keys so I re-imported them (both via console and the winbox), but couldn't reproduce the issue. Still puzzled why I repeatedly got this error message yesterda...

eguun

Thanks for your support,

Sorry I haven't written earlier, but I managed to create a support ticket yesterday as per your recommendation:
Reference: SUP-15797
Currently pending support

eguun

I would say when you used type rsa and it works on the Mac but not on the MikroTik the key type is not the issue. (either when you use old types that could be no longer supported (dsa) or new types that are not yet supported by some dated equipment (ed25519) that could have been the problem) Thank ...

eguun

Thanks sindy, That's a great idea: to try that same key someplace else. I followed your idea and tried to connect from mikrotik to my macOS using that key As you foreseen, I also got that very same same error back. I will send this to the support team, and hopefully it will be actionable enough that...

eguun

The key itself may be fine but the Cisco may not advertise support of that key type so Mikrotik gives up without Cisco knowing the reason. Thanks for the response. I'm not sure I follow you here When used on macOS for authentication on the switch it works as intended: successful login without havin...

eguun

To add on the key topic:

I generated keys on a macOS using the command from this post:
viewtopic.php?t=151017#p744315

ssh-keygen -t rsa -m PEM

Nothing really exotic

eguun

Maybe the key type you generated (dsa, rsa, ecdsa, ed25519, ...) is not compatible with one of the two sides?

Thanks

I actually tried this key on a macOS, works fine.
Seems the key is fine.

eguun

Hi, From a mikrotik CCR router, I'm attempting to connect to a cisco switch using SSH I confirm SSH connection works fine without keys (ie: with interactive password typing) I have imported private/public keys, and when those are imported, I am getting this error message back error:0D078079:lib(13):...

eguun

FYI, As one of the main difference between the 2 devices are CPU frequency I tested the following: - downgrade my passive-cooled version of CPU speed (in system > routerboard > settings) => logs at boot and /system routerboard print are showing "cpu not running at default frequency" - brin...

eguun

I believe it is normal. I've just check a CCR1009-8G-1S-1S+-PC of mine, it is also reported to be CCR1009-8G-1S-1S+ in RouterOS. Thanks for the prompt response, much appreciated :) I didn't pay much attention to it until last firmware update. These two devices are very likely sharing exactly the sa...

eguun

Dear all, routerOS mis-reports the device as the non passive cooling version; ie main difference being the CCR1009-7G-1C-1S+ to have: wider form-factor, a 1.2Ghz CPU with active cooling (fans) and dual power supply current-firmware: 6.46.6 I am running these commands in the Mikrotik CCR1009-7G-1C-1S...

eguun

Dear all, When opening in notepad the backup file resulting from the /system backup command ( https://wiki.mikrotik.com/wiki/Manual:System/Backup ), I realize that it contains a track record of several iteration of my scripts. The /system backup command outputs a .backup file that lists the same scr...

eguun

Thanks for the link Seems what the presentation covers is not what is being discussed here. Here the topic is to limit volumes on an interface based on quota for that interface (typical scenario being LTE monthly volume). The presentation speaks about load-balanced WAN, based on bandwidth; ie: switc...

eguun

Thanks for your response, I guess each language can have its own naming next to this feature, "capturing group" being one of them. Perl calls it "extracting matches", boen_robot in his post referenced earlier called it "regexmatch" If it gets returned as $1 $2 would alr...

eguun

Hi, I am not sure Mikrotik support this basic function. The need is to parse a string and extract some content based on regex . I think mikrotik can only return true/false if the regex is matched, but can't return $1, $2 .... based on the matches (like any other coding language would be capable of d...

eguun

Dear all, I'm new to Mikrotik, this forum was of great help. Thanks to the community. Happy to contribute by sharing below my implementation to avoid getting overpriced LTE invoices. How this works? 1- the counting of the LTE traffic is made via a firewall filter. Main reason here is to avoid file r...

Search found 84 matches