MikroTik

memelchenkov

It's a great idea to rename to "nas"! I love roses, like well Guns'n'Roses, rose flowers, rose perfume and so on… but how it is related to SMB I really don't understand! the rose-storage package does not only offer the "nas" function, but also the "client" function. In...

memelchenkov

It's a great idea to rename to "nas"! I love roses, like well Guns'n'Roses, rose flowers, rose perfume and so on… but how it is related to SMB I really don't understand!

memelchenkov

Not a good update, now there are many messages "reassociating", "disconnected, ok" in wifi logs.

memelchenkov

Normis, from what you write it seems like you don't really like Wordpress

Tech. pros don't like WordPress

memelchenkov

Now empty "WiFi" tab in WinBox. And working WiFi tab copied to "Wireless".

memelchenkov

You may use something like: https://wiki.mikrotik.com/wiki/Manual:W ... Debug_Logs

memelchenkov

@anav, so it works by accident rather than not works by accident? Cool.

memelchenkov

You did not give details what country. Many world countries now block VPNs. If you live in a such one that means they start blocking. Another variant — specific ISP blocks. First of all you should talk to the ISP where is not working and get official answer about open port or DPI hardware. Only then...

memelchenkov

It may be firewall address list, for example. In mine case of the same situation—only netinstall

memelchenkov

Write a script on a virtual desktop that will kill WinBox if some pings failed.

memelchenkov

But can docker be used on such a small device like the hAPac2 ? As I understand it, docker requires much disk memory, 100+ MB or so, whereas such a hAPac2 has got only 128 MB :-) USB flash for Docker? I did not try that. Docker images could be really small, on Alpine Linux only few megabytes. ac2 i...

memelchenkov

At MUM few years I asked MikroTik about packages like in OpenWRT, Asus. They told "no". And years later they bring Docker.

memelchenkov

Check that VPN connections are excluded from FastTrack, it's a mandatory rule for correct working of VPN.

memelchenkov

It's interesting if he mentioned MikroTik in his book or not

. (look the latest comment on YouTube)
It won't work good on a length > 100 m. Do they install active repeaters/switches? Maybe. It's very interesting anyway.

memelchenkov

Just out of curiosity, what do you want to achieve by upgrading major version?

memelchenkov

When I use Adblocker my YouTube video player has stopped.

You got the wrong forum. It is a forum about MikroTik routers. You should write to forum about your Adblocker software.

memelchenkov

I can restore from backup

Just an idea: try to restore from export, not from backup. Backup (the binary configuration itself) could be corrupted.

Also, check free disk memory. If it is near zero it could cause these problems.

memelchenkov

Your current measurements does not anyhow shows problem with the router. Try to get ISP technicians first, let them show you the real channel speed via their own hardware (usually they come with an notebook with Ethernet port). They will show you the real channel speed, you will see what they use fo...

memelchenkov

You should not check ISP speed by trying random speedtest website/app. You should ask your ISP which server to use to check wire speed. The speedtest server should be installed on ISP side. That's the only way to properly check link speed between your hardware and your ISP. Speeds between your hardw...

memelchenkov

Yep we have an input firewall, only ping is open to world ..

Then how the router can accept DNS NTP answers if you block all traffic except ping?

memelchenkov

Whois shows it is telecom from France. Yes, is recently buyed, checked on RIPE. But I prefer to remove the post with the IP, since is open to the world..................... Not a problem, the first bot scanner will penetrate any public IP in first five minutes. Also, it is LTE so probably CG NAT wi...

memelchenkov

On picture...
94.187.x.y is from Kuwait???

Whois shows it is telecom from France.

memelchenkov

Flash again (not reset) you’ll get the default config. It’s impossible to say anything about condition of the device you get, does it have some kind of broken firmware or not. Default FW config is pretty similar among different models and these devices do not have any problems with DNS NTP etc.

memelchenkov

Check TR069 instead, will it work for you or not.

memelchenkov

Check signal strength.

memelchenkov

Set fixed port in qBittorrent, it randomizes it on each launch.

memelchenkov

So its not like that an un-approved user can get on the Wifi to sniff around? Yes, it is. MAC can be sniffed, then spoofed. However, if your film&tv staff is not very tech-savvy (I mean, not hackers) and don't specially want to drown you they probably will not hack Wi-Fi. So yes you may then. N...

memelchenkov

> restrict Wifi access to the Starklink to specific Mac addresses
Not secure. MAC could be spoofed.

> I do not trust them
Do not share with them then.

Are you a soldier of fortune? Starlink, odd parts of the world, strange colleagues whom you can't trust...

memelchenkov

Or can we? :wink: Yes, we can. As a former system administrator of multi-service ISP, and as just an IT professional with a broad experience with small businesses in some other countries, what can I say: - MikroTik is an enterprise-grade hardware and software, ISP routers are not. ISP routers are S...

memelchenkov

The only drawback of such setup (apart from being ugly :wink:) is that there's another device consuming power. Not the only. Sometimes, they are quite unstable and have software and/or hardware bugs. So it's almost always better to use media converter than a router (if possible, of course). But for...

memelchenkov

@millenium7 yes, AFAIK it is, Cisco cert is relatively easy to buy without real knowledge, there are special people for this.

memelchenkov

Create address list with your VPN address range, then:

add action=accept chain=input comment="accept requests to MikroTik from VPN" \
ipsec-policy=in,ipsec src-address-list=LAN

memelchenkov

Please look there: https://mikrotik.com/download/changelogs

memelchenkov

You and your colleagues should get offline training. You are right, MikroTik's UI is counter-intuitive, even for those who knows Linux, and you'll spend months mastering it yourself. However, knowing how these UI sections interacts with hardware and with each other, it will not be harder than any ot...

memelchenkov

And another (much repeated request) for a NATIVE MacOS Winbox version. Currently have to start VMWare Fusion just to start Winbox....

WinBox works perfectly under CrossOver for ages, you do not need virtualisation software to run it.

memelchenkov

How do you force the device to join only 5G band? There are two ways: 1. Separate network names for 2.4 Ghz and 5 Ghz networks . 2. When the same name, use "Access List" tab of Wireless, add necessary MAC addresses, select 2.4 Ghz interface and uncheck "Authentication" and "...

memelchenkov

Maybe it's better to change base OS than WinBox. Windows is a kind of system full of strange bugs. It perfectly works under CrossOver on macOS.

memelchenkov

viewtopic.php?t=113148

memelchenkov

but now it is usable only as switch

Now? It has always been a switch and nothing more.

memelchenkov

v6 is already out of service for a long time. if you haven't noticed, there are no upgrades for v6 except CVE / critical security fixes (rare)

That's exactly what I mean. It will be out of service when there will no be security fixes.

memelchenkov

Upgrade when 6.x branch will be out of service (not anytime soon). “If it ain't broke, don't fix it”.

memelchenkov

7.11 comparing to 7.10 has some issues with Wi-Fi signal strength on Chateau.

memelchenkov

This update is relatively slow. Don't worry if your router is not up in few seconds. Await several minutes.

memelchenkov

You may use Docker container with dnsmasq installed, just add necessary option to DHCP so DHCP clients will get the proper server address.

memelchenkov

https://mikrotik.com/current.rss works with Inoreader, also available by direct link, no issues.

memelchenkov

It could be power adapters issue.

memelchenkov

I appreciate the answer, I was dubious just for that specification I cite... The link IS helpful. My intention, of course, is not to offend anyone if there is some mistake… If you have any questions about things related to Cyrillic encodings feel free to ask (probably better in messages or email be...

memelchenkov

Cyrillic is not a language, its an alphabet shared across multiple languages And those languages use that alphabet. I don't understand the clarification, it was more than obvious... Your words… "who knows Cyrillic as native language". Was my reply helpful? Or this message is the only you ...

memelchenkov

Cyrillic is not a language, its an alphabet shared across multiple languages. I.e. https://en.wikipedia.org/wiki/Romanization_of_Russian and follow "See also" chapter for other languages.

memelchenkov

I agree with above what onnoossendrijver said. Why need to have a printer constantly at 1G? Printers will never have the need for such speed anyway, and it's apparently doing this to save power. Let it do it's thing. My device is not a printer, it's a dock (with Ethernet adapter) connected to a not...

memelchenkov

Disabling interface and enabling again, brings it back to 100M. But after 5 minutes ... 10M again. And case closed after further investigation. Someone here at home changed the power settings on the printer so it went to power safe mode after 5 minutes. Time to set an admin passwd on that device to...

memelchenkov

My comment was mainly that "rolling your own from scratch" usually no longer makes sense from a maintainability standpoint. Not that it can't be maintained, just that it usually isn't cost effective compared to using a framework. My first program was for MS-DOS v 3.30 on i8086 CPU (honest...

memelchenkov

Replace FAT32 with exFAT then. FAT32 is outdated in all senses. NTFS is proprietary, so Linux implementation is rather buggy and only via FUSE. exFAT is not proprietary, and is in Kernel now (new driver since 5.7).

memelchenkov

ChatGPT “lies” not more than average citizen in real life. It’s not a “lie” by itself but something like a cognitive distortion that humans have. But some people treat it like a strict computer program, like an expert system. No, it’s a “black box” machine transforming input from really big database...

memelchenkov

ROSE could be used with the USB to disk on a RB4011

RB4011 is an excellent router, but it does not have USB.

memelchenkov

I see only one big difference (except RADIUS auth)

Mine:

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=server-ikev2 pfs-group=none

And yours don't have "enc-algorithms" for this string in your config. Maybe it will help?

memelchenkov

Self generated certificates? RSA2048? ECDP?

Self-signed, RSA2048. Used fields are "Common Name" and "Subject Alt. Name: DNS" (same as "Common Name"). Key Usage - "tls client" for client and "tls server" for server.

memelchenkov

With username/password + certificate?

With certificate only (User Authentication: None, Machine Authentication: Certificate).

memelchenkov

I successfully connect to IKEv2 VPN on macOS 13.2.1 M1 Max CPU both to 6.x branch and 7.x branch. Try also watch logs of IPsec in macOS Console.app.

memelchenkov

Now works. At the time when OP posted it — not worked for me with the same error, too.

memelchenkov

why there is missing zero tier on Arm?!!!

It's there, in all_packages-arm-7.8.zip file.

memelchenkov

- Bad idea to upgrade the firmware, because you had a well-known working solution, then something happened externally, and now you changed internal conditions, so understand what happened will be much harder now. - Check logs what you see there. - Try to change Wi-Fi channel. Probably someone pollut...

memelchenkov

Here is memory usage graph since Aug 2022. Jan 12 2023 is a point where I updated the firmware from 7.6 to 7.7, and then the graph level started increasing. It's a router which is in use by only 2 people. I do not know, what is it — caches, or not, but, if developers did not do changes related to ca...

memelchenkov

Your ISP may filter game ports. Ask them, is it, or not.

memelchenkov

Looking back, I would prefer to enroll in courses, rather than learning it myself. In fact, all concepts are taken from Linux (after all, this is what it is), but you need to be an advanced network engineer in order to learn MikroTik “at a glance”. As for WinBox, many of us uses it via Wine from Mac...

memelchenkov

One more idea is so-called "ethernet loops". It could caused by faulty Ethernet card. You should configure some loop-detection feature on your switch or router.

memelchenkov

I know this is a shot in the dark but anyone ever experienced this? Sure. It's a standard task for any network administrator. Watch logs and sniff traffic. First, you should determine what happening. Next, make to avoid it (depends on kind of situation). I am sure there is some traffic analyzing so...

memelchenkov

BTW: SNI intercept can also help in blocking youtube etc.

TLS 1.3 encrypts SNI. So this method is gone now.

memelchenkov

@leonardogyn why do you think it's a leak and not a cache? There are many different kinds of memory in Linux kernel. The properly working system should use the whole available memory to maximize its performance and free it only when necessary. So I'd like to know why you decided it's a leak and not ...

memelchenkov

memelchenkov - Please send supout file from your router to support@mikrotik.com. Please note that your router did fail while running v7.6. The issue is not caused by v7.7. It seems you are right, that the problem is not related to 7.7 upgrade, thanks! I rebooted without trying to update and the sam...

memelchenkov

I have downloaded. ARM Chateau. But after reboot still 7.6, no upgrade performed. Tried twice. In logs: "router was rebooted without proper shutdown, probably kernel failure".

memelchenkov

You do it wrong way:
- Do not use PPTP, it's an insecure protocol.
- Do not open management interface from outside the network.

The proper way:
- Establish secure OpenVPN/IPSEC/WireGuard channel.
- After, connect to the router by its internal IP address (Web, WinBox and so on, as you wish).

memelchenkov

It is very hard for an OEM to select the features to include or exclude.

If they buy OEM hardware, what another manufacturers use the same platforms?

memelchenkov

Why check YouTube and different sites if ProtonVPN has its own manual? https://protonvpn.com/support/vpn-mikrotik-router/

memelchenkov

*) bridge - properly process IPsec decapsulated packets through the firewall when the "use-ip-firewall" option is enabled; NAT with IPSEC with Use IP Firewall enabled still not working correctly. Connections are freezes. Fortunately, Bridge Filter Marks now works!! So IP Firewall for some...

memelchenkov

memelchenkov - Works for us. Can you provide supout file from this device to support@mikrotik.com which would be generated right after you have tried to make a backup?

SUP-84114 just filed. Thanks!

memelchenkov

"RouterOS WinBox Error — Couldn't make backup - action failed (6)" when doing backup. 7.4beta2 on RBD53G-5HacD2HnD (Chateau).

memelchenkov

I doubt anybody will fix PPTP even if there is some bug.

memelchenkov

Replying to author's original post: if I remember correctly, route-based IPSEC is a standard choice on *BSD systems (and routers based on it), not on Linux. VTI/XFRM interfaces, which probably could implement what you want (sorry, I can't say exactly because did not work with them), are not implemen...

memelchenkov

Thank you for posting feedback! I am glad I was able to help you.

memelchenkov

You’ll need to enable debug for “ipsec” and “l2tp” topics.
https://help.mikrotik.com/docs/display/ROS/Log

memelchenkov

- Check IP of your DDNS domain is the same as your public IP.
- Enable debug logging both on client and server and look which part of VPN communication have issues.

memelchenkov

i am using hotspot, users due to ip change, they have to login again

You may use MAC cookie feature to avoid this: https://wiki.mikrotik.com/wiki/Manual:H ... MAC_Cookie

memelchenkov

Hola Amigo! It's the only two words I know in Spanish! Welcome to our forum!

memelchenkov

Try this:
https://github.com/BigNerd95/RouterOS-Backup-Tools
https://github.com/marcograss/routerosbackuptools

No such tool for v7.

memelchenkov

You forgot the new COVID lockdown in China which already holds for several weeks.

memelchenkov

Once I tried to mitigate attacks from DigitalOcean network. I tried to reach their abuse/security department very hard with no adequate reaction. In my opinion, it was a serious issue, with a real malicious activity. It seems, ShadowServer works on opposite side—they try to make the Internet more se...

memelchenkov

Hmm, it's a quite interesting situation. That's true, you can't have much 2.4 Ghz Wi-Fi in a small environment. What about if set up common hallway-based powerful enough Wi-Fi APs, and set 802.1x authentication for each user. Then you will be able to limit their Internet based on their tariff plan.

memelchenkov

It may be due wrong PFS. Try 'none' to make sure it is not related.
It may be due to 7.x firmware if you use it, they have some bugs, depends on configuration.

memelchenkov

*) bridge - fixed packet marking for IP/IPv6 firewall;

Please tell, what exactly fixed? Will it fix SUP-72355?

memelchenkov

- Some problems with switching Wi-Fi networks (different SSIDs on the same router). Hardware (phone, notebook) reports "Network not found", but on the second try it connects OK. Not happened with 7.1.3. + Performance a lot better than before (CPU monitoring show normal load at 100 Mbps rou...

memelchenkov

UPD: the situation reappears after two days. Bridge IP Firewall is not fixed. Do not use it at all, very buggy feature.

memelchenkov

It was issue with NAT and Bridge IP Firewall: NAT worked incorrectly. It was fixed in 7.2rc4.
UPD: no, not fixed.

memelchenkov

The support is already aware of the problem, they reproduced it, and will fix it in next ROS 7 versions.

memelchenkov

NAT with Bridge IP Firewall bug is now fixed in 7.2rc4. Bridge Filters (packet-marks not working) are not fixed yet, but the support is already reproduced the problem and will fix it in future. For me, my situation is solved now (I hope :), because I use Bridge IP Firewall, not Bridge Filter for my ...

memelchenkov

No. https://forum.openwrt.org/t/support-for ... ch/104568/.

memelchenkov

Thanks but it seems that v 7.2rc3 cannot be downloaded... (or where exactly?) the archive contains only stable releases, not beta and rc? You may download it by direct link: https://download.mikrotik.com/routeros/7.2rc3/routeros-7.2rc3-arm.npk (I just replaced "4" from current download li...

memelchenkov

Oh, thank you so much!, its possibe to disable or remove? thanks

I doubt.

memelchenkov

Upgrade my devices, all working property, but, what is (xxxus) after (xxms) ping? i never seen that before upgrade. Thanks

Microseconds (μs).

memelchenkov

For example, in the old days of Windows NT development there were about 5000 developers and about 5000 testers, that's why the resulting programs run so well, even to this day. 😳🤪 Seriously? We must have a different understanding of " run so well ". Comparing to 9x branch? It ran VERY well.

memelchenkov

No one downplays MikroTik. But some things get very annoying, especially when you can't solve them for months.

memelchenkov

In today's world they are very good standing, if comparing. In today's world any software become a piece of ... Customers are no longer engineers, but zoomers with no education. They are brought up on SJW ideas, not qualities. I talk like an old fart, but I feel that I got into the forest, and aroun...

memelchenkov

We are here, on the forum, already noticed MikroTik lacks proper QA team. It's not related to dev. team and support team, but to very poor management decisions (nobody will forget when they sold Chateau device with alpha-quality firmware without mentioning it, and only after 1-2 years on the market ...

memelchenkov

What do you mean you can’t limit client? Limit him by MAC, or by dot1x. Administrative actions, all in one. If it’s a company—then it’s not a problem at all, fine-then-fire policy works well. If some public network… there are variants too.

memelchenkov

Worldwide chip shortcoming. Logistics problems (seriously, hard times due COVID).

memelchenkov

Too little information. I suggest you to start regular diagnostics procedure which involves standard steps: - sniff traffic from the Internet port till the server port, at each point; - analyze the traffic; - if no issues, then proceed with investigation of the server. This way I fixing many problem...

memelchenkov

MikroTik CHR? You can run it in virtualization software on Windows.

memelchenkov

If you did not change the network configuration then why you thinking the problem is in the MikroTik? Check your server first.

memelchenkov

bridge - fixed bridge filter and NAT rules on ARM64 and TILE devices; -- please tell what's exactly fixed? I experience bridge filter and bridge IP firewall issues in 7.1.2. Bridge Filter do not mark packets, and bridge IP firewall breaks NAT. But it's ARM platform (Chateau), not ARM64. Does this f...

memelchenkov

but you have to add some src-address(-list) condition to restrict the effect of the rule only to traffic initiated from your local LAN subnets. If that doesn't help, I cannot see any other way how to distinguish the routing phase from the bridging phase. It seems it does not work that way. When add...

memelchenkov

If you mean below rule, then this rule just blocks everything.

/ip firewall raw
add action=notrack chain=prerouting in-interface=!bridge

memelchenkov

There is no in-bridge-port-list option for RAW section.
However, I use this option in Mangle section, to connection-mark traffic coming from specific WLAN interfaces which destination is WAN.

memelchenkov

/interface bridge settings set use-ip-firewall=yes ? This. I didn't think about this, thanks (and MikroTik support didn't think about this too). Sounds reasonable. However, I do not realize how to implement raw rule with both "In. Interface" and "Out. Interface" options, to excl...

memelchenkov

Just for own education: why Tailscale if there is already ZeroTier?

memelchenkov

The support still did not solve the issue. The reply was still the same as before: check routing (it's OK), make sure your provider's NAT is OK. They checked router config, config is also well. When sending follow-up, no reply back. I just found they did not fix Bridge IP Firewall, however they told...

memelchenkov

Hello!

Can somebody test on Chateau (or maybe other device) with 7.1.2 if bridge filter working for them? I mark packets in bridge filter but do not see these marks in Firewall Mangle section.

memelchenkov

What's new in v3.34:

*) fixed WinBox crash on startup (introduced in v3.33);

Thank you!

memelchenkov

For anyone looking for previous version of WinBox: https://download.mikrotik.com/winbox/3.33/winbox64.exe

There should be 3.32: https://download.mikrotik.com/winbox/3.32/winbox64.exe

PS: fix 3.33 for Crossover, please, there is a demand.

memelchenkov

I don't see why the app should be made in Electron. iOS already has MikroTik app, and it startup timings are very fast, and its size is only 25 MB. Probably, some cross-platform toolkit, but with native performance.

memelchenkov

Overall information from this forum shows that there are different issues with VoWiFi, and one of them is lack (or blocking) of keep-alive packets. But, it is not the single possible issue (i.e. it's not related to my case). Second issue is NAT problems, like in my case, as stated by tech. support. ...

memelchenkov

works

MTS VoWiFi works for you on firmware 7.1.1? Moscow region?

memelchenkov

Waiting for resolution from MikroTik side.

memelchenkov

what I see: src-address: LAN IP -> dst-address: MTS IP. And src-address: MTS IP -> dst-address: Provider IP. On what interfaces? wlanX->bridge->pppoe? Here is the dump. 10.x - LAN, x.77 - MTS VoWiFi IP, x.61 - my provider. [admin@Router] > /tool sniffer quick ip-address=x.77 Columns: INTERFACE, TIM...

memelchenkov

Still... if you shut down WiFi on the phone, wait for the existing weird connections to die off (3+ minutes), then run /tool sniffer quick ip-address=ip.of.the.exchange and switch on the WiFi on the phone, what does the sniffer output show? Wi-Fi calling was turned off on the phone, at least one da...

memelchenkov

But I've got another idea - would it be possible that if the WAN goes down for some reason, the packets towards the exchange take some other route than via the WAN gateway? That would explain why the new connection is not src-nated. No, it do not goest down. Indeed, I have interface list as masquer...

memelchenkov

And there is no restriction of allowed to-ports in the src-nat/masquerade rule that normally creates the correct, bi-diectional & src-nated, connection? Sure no. A default plain masquerade rule. Maybe the newer version of ipfilter in RouterOS 7 behaves differently in the same situation, but… I ...

memelchenkov

So connection #4 should have been src-nated (unless there is an issue in chain srcnat of nat , which is unlikely as it works for some time after reboot) but it is not, and connection #3 should not have been even accepted unless connections to UDP port 4500 are permitted in chain input of filter . I...

memelchenkov

When you had double entries, was one of them with an untranslated port number 4500 and the other one with a different reply port number? Look: * IP ends with .77 is cellular provider's IP. * IP ends with .61 is my external IP. * IP 10.0.0.24 is cellphone's IP. https://i.postimg.cc/4d9ZxhJ6/Double-e...

memelchenkov

I can hardly imagine how a forwarded UDP connection on a NATing router could create two independent unidirectional connections, unless... Yes, it's a very unusual situation. Sorry for not sharing details publicly, but I created one more ticket with support, #[SUP-72355], especially related to this ...

memelchenkov

A stupid question - the phone keeps sending its IPsec traffic to port 4500 of the IP address of the mobile exchange. Assuming you haven't intentionally told the src-nat/masquerade rule to use only a single specific port at your WAN IP address for this connection, if you run /tool/sniffer/quick ip-a...

memelchenkov

7.1.1 firmware seems solved problems with VoWIFI I experienced. I updated yesterday and still testing it, but for these two days it works well. Unfortunately, I was too optimistic. On the third day it stops working. The situation as was before: on port 4500 (UDP) there is only one-way traffic, beca...

memelchenkov

7.1.1 firmware seems solved problems with VoWIFI I experienced. I updated yesterday and still testing it, but for these two days it works well.

memelchenkov

Bridge filtering and bridge IP firewall do not work as expected. It’s better to avoid them until they will be fixed.

memelchenkov

Bridge filtering and bridge IP Firewall Filter still working abnormal. Chateau device. I mention it in SUP-66472.

memelchenkov

I found it is NAT issue. Instead of creating mapping LAN_IP:4500 <--> SERVER_IP:4500 Connections tab has two unrelated connections LAN_IP:4500 -> SERVER_IP:4500 and SERVER_IP:4500 -> PUBLIC_IP:4500. So, instead of passing traffic in NATted connection both connections are stalled due this. What's the...

memelchenkov

Hello fellow Russian citizens, Anybody use Chateau with 7.0.3/7.0.5 stable firmware? I experiencing issues with MTS Moscow VoWIFI. Port 4500 connection has xxx/0 bytes — in other words, IPSEC channel does not receive anything. Sometimes it does, sometimes not. I do not see a logic. Probably it's a b...

memelchenkov

only cable is different

Then the problem is in the cable (or, at least, this cable is the most problematic item in all hardware). The cable is probably out of specification (fake), or was damaged during installation/operation (i.e. rats).

memelchenkov

I have tried this cable outside the wall (though it is much shorter) with a different socket (not that in-wall socket I have everywhere), that one worked perfectly with 1Gbps speed. That's the answer. You have a cable/socket hardware problem. Make sure your cable and socket are 1Gbps compatible and...

memelchenkov

Mikrotik router is accessible from outside but there are no rules to allow the same. How is this possible?

There is only one possibility: misconfiguration.
Show your config.

memelchenkov

Search this forum for 'mss fix', probably that is.

memelchenkov

Hello!

What's the minimum set of HTML files in hotspot directory? I mean, can I remove i.e. logout.html, status.html, radvert.html, ...? I want to customize only login.html and (if this file is mandatory) error.html, and delete all others as non-customized. Am I right doing this or not?

memelchenkov

Sorry for my ignorance, but why does anybody need route filters?

It's a carrier-grade feature. https://mum.mikrotik.com/presentations/ ... 374753.pdf

memelchenkov

I have not used policies for myself, but, according to documentation https://help.mikrotik.com/docs/display/ROS/User, isn't it enought to create a user with "reboot" only policy disabling other policies? And allow API only access to router. By the way, why to restart MikroTik? It's super-s...

memelchenkov

I have 7.1b4. Mail me: m at emelchenkov dot pro, I'll send you.
I also have 7.0.3 stable for Chateau.

memelchenkov

Not possible. But there is stable 7.0.3 version, try it: viewtopic.php?f=1&t=175201&p=865504#p865428

memelchenkov

How to subscribe to updates for new versions of 7.0.x stable for Chateau? I downgraded to 7.0.3 from 7.1b4 and pretty happy with it. So I want to continue get updates for a stable channel.

memelchenkov

To those people asking for mDNS, can you give examples where it will be useful? I.e. network printers in wired network shared with VLAN of wireless clients. Connections to printers are allowed by firewall, but mDNS are not routed so users must enter IP addresses rather than use auto-discovery featu...

memelchenkov

Hello. I have two MikroTik routers with IPSEC channel between them. I run btest server on both of them. I am able to connect from btest client of first router to a btest server of second router by external IP (PPPoE), but I am not able to do it by its internal IP (which belongs to 'bridge' and avail...

memelchenkov

My experience of downgrading form 7.1beta4 to 7.0.3: - I uploaded 7.0.3 firmware and rebooted. - My configuration flushed. - But I am able to connect via Neighbours tab. Probably, above procedure was my mistake (I don't really know why my config was flushed). After: - I uploaded 7.0.3 firmware again...

memelchenkov

Do not upgrade Chateau from 7.1beta4 to 7.0.3. It will not boot after upgrade. I will investigate it a bit later.

memelchenkov

Chateau cannot run on RouterOS v6. It is shipped with v7.0.X (stable) , which is different than 7.1betaX (development) . Historically, RouterOS is released per platform (x86, arm, mips, tile, etc.). Unfortunately, there is no stable per-platform ROS v7 available yet. So the decision has been made t...

memelchenkov

You can install OpenWRT on some MikroTik routers.

memelchenkov

It's a provocation, you do not notice that? you think really routeros go test from You got it wrong. A device queries Mikrotik's DNS server -> address list filed. That's all. It's how it works now (?) — I don't know exactly how it is implemented now, but IP address appears at the list after request...

memelchenkov

(using e.g. bgpq3) You usually don’t want to get all AS range. You may not know all ASes used by website. And it involves 3rd-party integration anyway. For home/small offices it’s overkill. I am pretty happy with what embedded DNS server and Firewall Address List offers, just want to be it more fle...

memelchenkov

Use an external DNS server for that?

I use these lists for traffic forwarding, not blocking. So, this feature built into Mikrotik will be perfect. Even more, it’s already there, just no wildcard support yet.

memelchenkov

like put "*.google.it" and the routeros try to resolve (address to add ip on address-list)
all possible combination

Yes.

memelchenkov

Hello! It will be cool if you will implement wildcards for Firewall Address List. It's easy to use with internal DNS server, easier than L7 processing. There already were such requests but they were for v6, so I hope for v7 we'll finally see it.

memelchenkov

Why would you want to do this? Torrent is illegal where i live,,,,,, if i don't block it then our small ISP will be charge by the internet authority What's the problem? Pass the court order to the violator, he will pay the fine. Torrents are not illegal. Downloading/uploading copyrighted content is...

memelchenkov

@gdanov, don't spend time explaining, you are absolutely right, it's not a beta, it's about alpha quality, just keep it in mind. It's already discussed there many times and nothing really changed. I'm surprised why Mikrotik still adds new features instead of stabilizing existing ones. This is some k...

memelchenkov

Is it possible to configure CAPsMAN to provide separate VLAN to second Ethernet port of cAP ac?

memelchenkov

Is "MikroTik support #[SUP-37062]: ROS 7.1b4: Packet mark issue" fixed in this version? I'd love to see detailed changelog for each beta, because "other minor fixes and improvements" is not very informative, and usually these "minor fixes" are not minor at all.

memelchenkov

I tried today and found out it's broken again. Open a support request with Mikrotik, they probably will fix. I opened previous time, and after they fixed.

memelchenkov

Amazon often sells used items, Amazon problem, not Mikrotik problem. Buy from authorized resellers, not from marketplaces.

memelchenkov

Couple of questions on v7 - when is the planned launch date of the non-beta version and would I be mad to consider installing it in production?

Forget. It's still alpha quality, even not beta. However, it works quite stable for some basic things. But advanced RouterOS features do not work at all.

memelchenkov

Are you an immigrant?

No, not AFAIK. But in the troll mode (again after some quiet time LOL).

Ahaha, OK OK :)

memelchenkov

It seems you are disturbed that they sold products that depend on using a beta firmware. Seems justified but the folks that are affected are all those that jumped on the home wifi bandwagon of MT which many have been stating to avoid for some time now. So my sympathy factor for those with audience ...

memelchenkov

It seems you are disturbed that they sold products that depend on using a beta firmware. Seems justified but the folks that are affected are all those that jumped on the home wifi bandwagon of MT which many have been stating to avoid for some time now. So my sympathy factor for those with audience ...

memelchenkov

volunteer testers. :-)

volunteers choose their own destiny, deceived customers do not 😠 Show me idiots who want to test this alpha-quality piece of code by itself. NO, they sold it as release.

memelchenkov

Maybe report the issues you have found to support. They may provide beta6 for testing. Their official answer at 21st of April was "Unfortunately, the issue still is not fixed. I will remind the developer team about this issue. Apologize for the inconvenience caused." Original report of th...

memelchenkov

When the new beta will be released? I am so tired to wait for a fix of bridge IP filtering functionality, which totally break my config (I must disable it to continue to use your router).

memelchenkov

A pretty neat feature and often required here. It's usually good for sharing printers in work environment, rather than for home. However, for home could be useful too, people are just lazy now to make some complicated setups of their networks. But Mikrotik is a complicated device, it's strange they ...

memelchenkov

Install 7.1b4 or 7.1b5. I use 7.1b4 now with limited config (full feature set not supported in 7x branch yet), works stable. Before export your config in text format. Update could go not smooth.

memelchenkov

Change the cable (or crimp it again). It's a wire hardware issue.

memelchenkov

Russian shops: LTE6 is on sale, non-LTE — absent.

memelchenkov

Depending on how complicated the things you are doing are, you might be able to use bridge filter rules instead of the "Use IP Firewall". Wi-Fi interfaces are on the same bridge with outbound interfaces and IPsec tunnel, and I packet-mark traffic from Wi-Fi for NATing. I already tried Bri...

memelchenkov

sorry for beeing sarcastic. I am in the Chateau12 camp too. Struggling since 11/2020 with this device. But I dont give up hope. Oh yeah! The same. Recently I found the root of my problems of wrong traffic routing and IPsec issues, which I experienced for 2 months with no resolution from support's s...

memelchenkov

c'mon! Everybody knows that you need to check Mikrotik forums and download-pages before you buy a Mikrotik product! Always these naive people that buy hardware and assume there is a stable software available.... Not everybody, but only those who work with MikroTik long and a lot—network administrat...

memelchenkov

Which product?

https://mikrotik.com/product/chateau_lte12
Still not mentioned that it has alpha/beta quality firmware.

memelchenkov

I'd love to see "duplicate" command for firewall rules, to create similar rule. Especially useful if want to try something by copying old rule and then temporary disable old one. And when create several similar rules. That is the COPY button that is already there. Oh my God! Thanks. I nev...

memelchenkov

I'd love to see "duplicate" command for firewall rules, to create similar rule. Especially useful if want to try something by copying old rule and then temporary disable old one. And when create several similar rules.

memelchenkov

I faced wrong IPSEC behavior in 7.1b4. Packets route wrong way, in my case it was IPSEC tunnel where packets should not be routed to. Support looked at dumps and told it’s working, no packets routed wrong. I believe my eyes, not support, when I see tcpdump’ed traffic at the end of the tunnel, at str...

memelchenkov

VLAN is layer 2 technology, no need L3 switch.

memelchenkov

Just a thought: it could be MTU issue. Try MTU/MSS manual altering, as usual on Mikrotiks.

memelchenkov

You need an MDNS repeater between the subnets to make the chromecast work. I believe RouterOS doesn't have MDNS functionality.. I use a linux machine with avahi for this. Topicstarter told he has single bridged network, no subnets. That's true, MDNS will not be repeated by Mikrotik by itself, witho...

memelchenkov

Unfortunately, developers in medium/large companies do not decide anything. Even Project Manager can't do much. Only Product Owner / Sales Managers / General Managers decide. They already decided to sell product with alpha-quality firmware, telling everyone it's a release. What do you expect from th...

memelchenkov

As an experienced software developer, I confirm that there is definitely lack of developers who are working on it! QA team is also understaffed. Hardly the owners read this forum, so it's just a cry in the blank.

memelchenkov

I noticed bugs with counters in ROS7. It was not related to IPv6 firewall. But if I met these bugs then you met it too.

memelchenkov

Hi! Does anybody have VPN issues with ROS7? You should have IKE2 instantiated from MikroTik. And also you should instantiate IKE2 from your PC/Mac. If you use a such configuration, please tell if you experience issues. Because I get so much issues with it and can't solve, MikroTik support also start...

memelchenkov

So is it that difficult to have some consistency within Mikrotik documentation?

OK, I will take it as a "thank you" :-D

memelchenkov

It's there, under different name, search page for "RBD53iG-5HacD2HnD (hAP ac³)" and you'll find Atheros8327.

memelchenkov

Sorry, it looks like a whole project. I even did not pay attention that the topic was published in SwOS area (got there by "Active Topics" page so have not looked where I am :), I never use SwOS on managed switches myself so even can't advise anything.

memelchenkov

It seems, you somewhere lose HW Offload so your CPU reach 100%. Check this manual for your model: https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples The main idea is you must use switch-chip hardware features to avoid using CPU at all. You cannot really route traffic using thi...

memelchenkov

I’d better investigate it, is it targeted attack or not.
I.e. I spent several months trying to make DigitalOcean to stop botnet attacks from their network, still not resolved, next step will be report to FBI.

memelchenkov

Over-quoting prohibition is part of netiquette. Netiquette is almost dead as Internet became platform not for engineers and scientists only, but for everyone. As soon as speed of life increased, quality of discussions decreased, traffic costs nothing (and channels are wide), over-quoting become &quo...

memelchenkov

I pretty sure everything incoming will be blocked by them. I see two solutions: 1. Ask your cell ISP if they can give you static IP and what ports/protocols will be allowed. Who knows, but I suppose they will provide it only to companies (corporate accounts). 2. Deploy intermediate VPN server on VPS...

memelchenkov

Just downgrade then, no? 6.48 branch has so many reported bugs so I'd be stay away from it as far as possible.

memelchenkov

Chateau user here. The most likely cause is that your cell ISP provides you with NATed IP, not dynamic/static IP. I tried on my operator too, the same behaviour. Where are you from? Russia? Yota? Because I testing on Yota, I got the address from 100.x.x.x subnet, I do not know, is it internal Yota s...

memelchenkov

I simplified Firewall rules and even completely disabled Fasttrack. I can say "yes", PPPoE reconnects brings mess to mangling and IPSEC processing, traffic starts going wrong way. I updated the ticket, please Mikrotik supporters who read the forum please take an eye on my ticket.

memelchenkov

After PPPoE reconnects no-marked traffic funny passes to IPSEC mangled channel. The bug still exists, I really appreciate if you'll fix it in short time, because it completely breaks my whole work process. I believe, bugs in core components should be killed at the first place, and only after cleanin...

memelchenkov

With 7.1b4 now a strange behavior: udp connection mangled as no-mark works for some time, then just stalled, no incoming traffic. Pressing "Remove" button in firewall helps, traffic starts going. It differs from previous beta, there were no such bug. However, it's only early hours, will se...

Search found 234 matches