MikroTik

Apachez

How are things physically connected?

Got some loop going on somehwere?

A drawing would be handy (physical network).

Apachez

This can be an expensive but sizeoptimized solution to do so

https://www.flexoptix.net/en/t-c12-rs232i.html

Other options are of course to get a proper SCS (serial console server) with dual LAN interfaces so you can go from IP to serial remotely.

Apachez

The fix is to use your own rsc files which you use for "reset-configuration". That is one rsc file per device. My scripts include this (based on Mikrotiks original restore): # # Setting static mac-address on bridge1 if ether interface is found # :set myFOUND 0; :foreach i in=[/interface fi...

Apachez

Looking at competitors there are not many options for a 12-port 2.5G fanless switch. Netgear have a 8-port 2.5G named MS308E: https://www.netgear.com/business/wired/switches/plus/ms308e/ While Trendnet have a few more options: 8x2.5G + 2x10G (SFP+): https://www.trendnet.com/langen/products/2.5g-mana...

Apachez

How can I reset RouterOS to factory defaults without losing remote access (Winbox/SSH)?
Can you explain what your real goal is?

The real goal is probably to reset RouterOS to factory defaults without losing remote access (Winbox/SSH)...

Apachez

How can you eat an apple but keep it intact ? You can not. In this case you can: /system reset-configuration keep-users=yes no-defaults=yes skip-backup=yes run-after-reset=<rsc-file uploaded to Files-directory> Make sure that this file defines an IP-address for ether1 (or whatever you use for remot...

Apachez

Out of the blue, I assume you use the latest 2.17 SWOS.

In the interface tab there is a checkmark for sfp high/low pin, that doesnt affect which speeds gets available of the transceiver?

Apachez

Thanks!

Apachez

Too bad since SWOS is really nice for regular L2-features.

Both maintenance and the learning curve is way lower than with RouterOS.

Not to mention the boot times

Apachez

Here is a bug?: (maybe) /system routerboard settings set silent-boot=yes does not work any longer (in some cases) So, if you have a HAP2 ac (RB962UiGS-5HacT2HnT) - the unit "beeps" when you reboot it or when it is "booting". There has been an option to disable this in the past a...

Apachez

What is "port cost mode" setting set to in bridge STP settings? Newer releases default to long while older releases defaulted to short - and upgraded devices with old config retained setting at short. This option appeared on 7.15 if my memory serves me right. Issue with this is that all n...

Apachez

Looking through the manual for SWOS I fail to locate what is the xmit-hash-policy that SWOS uses for dynamic LAGs like LACP (802.3ad)?

https://help.mikrotik.com/docs/spaces/S ... Manual-LAG

Apachez

Question is how you ended up with this situation?

I would guess you would need to reformat the nand and perform a netinstall to start over with this box:

https://help.mikrotik.com/docs/spaces/R ... Netinstall

Apachez

I wouldnt take forum responses personally, they are of no consequence. People here are free to speak their mind, sometimes its refreshing and eye opening and humbling. I make posts based on what I know, and if someone better comes along, who actually knows their stuff, I am all the better for it. (...

Apachez

Try the usual suspects: - Clear browser cache. - Shutdown and restart the browser. - Restart the Mikrotik device (at least as a troubleshooting). - Wait a minute or two (or three) before connecting to the Mikrotik device after its been rebooted. - Are you using http or https to access webfig? In cas...

Apachez

This snakeoil of not allowing 3rd party transceivers is just something retarded that some vendors does (thankfully not Mikrotik and a few others, and with Arista you can get a 3rd party license free of charge to unlock support for 3rd party transceivers). Boils down to public procurements where some...

Apachez

A router is a device that can forward packets based on layer3 information such as destination IP address. A switch is a device that can forward frames based on layer2 information such as destination MAC address. And then we have L3-switches (layer3-switches) who can do both (depending on how you con...

Apachez

Using RouterOS can be confusing at times no matter if you have previous experience from networking or not. Common things to screw up is MLAG and VLAN/bridge configuration. Personally I would have prefered if Mikrotik would do the approach of Arista and many others and have a common configuration (sw...

Apachez

hmmmmmphh... on smips arch winbox access ( ex open new window terminal ) getting high cpu usage up to 80%
downgrade to v6 then re update ( firmware) to v7 seems to fix cpu hog issue. thank you ..

Isnt this just a case of that you missed to upgrade routerboard which means another reboot?

Apachez

I have noticed that none of the CRS5xx devices have SwitchOS on its supportlist. What are the odds that SWOS will indeed show up for these devices or are CRS3xx and CSS6xx the last ones to get SWOS support? Im thinking of: - CRS504-4XQ-IN - CRS504-4XQ-OUT - CRS510-8XS-2XQ-IN - CRS518-16XS-2XQ-RM - C...

Apachez

https://vyos.dev/
Isn't vyos open source?
So that's far from "commercial"

Its an opensource project but with commercial licenses:

https://vyos.io/subscriptions/software

Apachez

SwOS is rock solid as is, I have some CRS317’s with over 500 days of uptime running on our ISP. The only request that many of us have, is to implement basic security prompts. You can easily press a button on the GUI by accident and bring down an entire network. I had an incident with a tech were he...

Apachez

Can anyone provide an example of another commercial networking vendor with a public bug tracker ? Also not exacly a public bug tracker, but at least they have this: https://arubanetworking.hpe.com/techdocs/ArubaOS/Consolidated_8.x_RN/Content/8.12/05/Known_8.12.0.5.htm But for MikroTik to have even ...

Apachez

Can anyone provide an example of another commercial networking vendor with a public bug tracker ?

https://vyos.dev/

Apachez

Try latest 7.19beta8 and see if the error remains? You can also try to for the devices using LAG towards your MLAG Mikrotiks to disconnect one of the cables to find out if the error is physical or logical. Logical as in something getting incorrectly blocked by your MLAG Mikrotiks but will work if th...

Apachez

File this as a feature request, I already did so recently regarding adding HTTPS-capabilities for management of SWOS devices. Regarding GDPR/NIS2 then make sure that your management network is already properly encrypted using VPN and use physical dedicated devices as adminstations. The thing of unen...

Apachez

Would adding a capability to log remotely via UDP to a syslog daemon be too much to ask in SwOS? I.e. I'd settle for entering the IP address of the loghost, and possibly requiring it is accessible through an ARP request. I assume you have already filed this as a feature request over at https://help...

Apachez

Im in the progress to update the lab so I started by updating to latest RouterOS 7.19beta8. That went smoothly. First download the binary (npk) for the correct CPU arch over at https://mikrotik.com/download and login to the CRS326 switch using webfig and upload the file to the Files (menu option to ...

Apachez

Using 7.19beta8 on a CRS326 with an older Firefox browser to get to webfig the horisontal menus/tabs at the top seems to be missing & nbsp; or similar so they all becomes like one or two centimeters in width even if the text is much larger (if there would be a proper non breaking space being use...

Apachez

So something like this should then work? In below example LAG-UPLINK and LAG-DOWNLINK are untagged VLAN100: /interface bridge add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes /interface bonding add lacp-rate=1sec mode=802.3ad name=MLAG-PEER slaves=qsfpplus1-1,qsfpplus2-1 transm...

Apachez

When creating a MLAG on CRS3xx/CRS5xx (using RouterOS v7.15.x or later) series you normally: - Create a bond for the MLAG-PEER. - Configure "bridge mlag" to use the above as peer-port. - Define a pvid (for example 4094) on the MLAG-PEER interface to be used for ICCP traffic. - Define "...

Apachez

and the multiple threads about this switch keep on coming......... https://forum.mikrotik.com/viewtopic.php?t=210003 Again this fellow @anav has responded. Told number of times somebody asked me to create new thread, as the title did not meet the content, hence created another thread. Because you s...

Apachez

Sure it works, thats how the others using VPP/DPDK does it.

Edit: But sure, they dont have 16MB of storage for their systems.

Apachez

Do you get the same if you dont use an interface list but like manually add each and every interface to the VRF (lets start with just 2 of them or so)? As a bonus question on similar topic - is it possible to (similar to how you can on Arista and VyOS) get to the bash mode when logged in to a Mikrot...

Apachez

https://help.mikrotik.com/docs/display/ ... p+features

https://help.mikrotik.com/docs/display/ ... Offloading

Apachez

Seems like these FEC values gets common these days: 74, 91 and 108. While Mikrotik currently doesnt seem to support FEC108. In https://forum.mikrotik.com/viewtopic.php?t=209869#p1089639 you wrote that you had the same BiDi on both ends of your cable which will explain why it currently doesnt work ou...

Apachez

Personally I would only assign IP to ether1 aka the MGMT/BOOT interface. But if you want mgmt to be rechable from elsewhere I would set it on VLAN level so that you can define where this VLAN is reachable because you probably dont want lets say INTERNET to be able to handshake with the mgmt of your ...

Apachez

I think your question(s) are better fitted for its own thread since this is going off topic for the subject of this current thread.

Apachez

Since that is a BiDi interface you must have one downlink variant on one end of the cable and one uplink variant on the other. For example where one of the transceivers RX:1310nm + TX:1550nm then the other one (on the other end of the cable) must be: RX: 1550nm + TX: 1310nm otherwise it wont work. T...

Apachez

They got some metrics available at https://vpp-docs.vyos.dev/performance/ but I think you need to contact them to get access to the VPP addon (I think it will be licensed in future).

Apachez

Use Winbox. Winbox can connect not only by IP but also by MAC. With it you can assign an IP address to that port, and then you will be able to access it via Webfig (browser). Not necessarily an issue in your case, but you shouldn't use VLAN 1, as a general rule of the thumb, as before or later it m...

Apachez

The FEC setting is a mess, just an example from various vendors (note that there are updates to this matrix not reflected on this link):

https://www.moduletek.com/en/applicatio ... 00096.html

So what do you have on the other end of this cable?

Apachez

The main difference between using a software based router (lets say VyOS) on a x86 vs a hardware offloaded one (lets say Mikrotik CRS326) is number of packets per second (which turns into bandwidth) along with latency. Softwarebased routing will have a limit of approx >250kpps per core using interru...

Apachez

Here you got some tips: viewtopic.php?t=209775

Apachez

You can manually through portcost select which path should be the prefered one if both exists at the same time. But that wont be able to adjust based on available bandwidth or based on retransmitted packets and such. To do so you need some kind of script thats being fired remotely or locally (throug...

Apachez

Regarding winbox there is also the webbased edition named webfig which I prefer over installing a 3rd party software on the mgmt-computer. This way you only need a webbrowser to connect to your Mikrotik and once you get the grip of it start using SSH (and consolebased access) aswell. When you login ...

Apachez

Nice ... ... but: "Maximum Firewall Port to Port Throughput" is 21Gbps ... a bit less than wirespeed. You should read the rest of the page aswell: All measurements are based upon TCP traffic unless stated otherwise. Total Firewall Throughput is calculated based on maximum PPS and standard...

Apachez

Try to plug the transceiver into another interface such as int9 or so.

Apachez

I don't think that your Opensense router xan toute at 40Gbps (limit of CRS' QSFP ports).

Sure it can, depends on the hardware.

Example:

60Gbps of throughput: https://shop.opnsense.com/dec4200-serie ... appliance/

Apachez

Again, disabling not needed features is NOT an "inconvenience" rather the opposite.

Apachez

Ahh right, copied from another guide I have setup regarding configs which must be placed in /flash otherwise they will be gone after reboot (since the root aka / is just a ramdisk).

Ill update the post to reflect correct syntax.

Apachez

So you have a TL-SM5310-T connected to a Mikrotik CCR2004-16G-2S+. Which interface is that connected to and is that interface enabled and what about the interface vlan configuration (untagged/tagged)? What kind of cable do you have (tried another cable)? What exists on the other end of this cable (v...

Apachez

From the previous link: According to MikroTik’s blog, the attackers exploited a vulnerability in the router’s operating system (RouterOS) which enabled attackers to gain unauthenticated remote access to read and write arbitrary files (CVE-2018-14847). RouterOS is the router operating system that’s u...

Apachez

Alternative method using scp instead of ftp is described at: viewtopic.php?f=2&t=203236&p=1047445#p1089258

Also note that the ftp service in ROS (as of writing 7.15.3 stable) doesnt support VRF so if you use VRF's /ip/service/ssh with scp is the way to go.

Apachez

Not that anyone asked but... Alternative method is to manually download the npk-files from https://mikrotik.com/download And then upload it to your Mikrotik device (example 192.0.2.1) using scp (you must have /ip/service/ssh enabled): > scp ./routeros-7.15.3-mipsbe.npk username@192.0.2.1:/ And then ...

Apachez

1. Unfortunately Mikrotik exposes the Linux DSA (the whole bridge stuff, read more at https://www.kernel.org/doc/Documentation/networking/dsa/dsa.txt) towards the admin instead of having a frontend in front of it like other NOS (based on Linux) do. What I do is to only admit tagged frames towards th...

Apachez

@ Tom I hope if you don't mind asking this question do you have current test setup at least with FRR + VPP how's the performance and any gotcha? I don't mind getting my hands dirty again to rollout pure linux solution as long as they are worth it. I'm also eyeing for VyOS but as far as i know they ...

Apachez

I find somewhat intriguing how half the new members posts asking how to access the router after having managed to lock themselves out, and the other half posts asking for recipes that ultimately increase the risk of locking oneself out. Seriously, one thing is doing whatever Is possible to prevent ...

Apachez

Why?? /tool mac-server mac-winbox set allowed-interface-list= none Its an encrypted protocol/service, what should be said if using winbox, make sure this is set to the TRUSTED subnet/interface. Because: 1) I dont like backdoors. 2) Management of these units should only occur from the management net...

Apachez

Yes, you can add portcosts to various links.

However I doubt that will help in your case unless you manually or by some script disable the path that uses the 60GHz link.

Apachez

i think you must return to ccr1072, usually newer platforms take months to optimize plus a new operating system version plus a new hardware architecture plus a new hardware offload using ASICs because of all this concurrent aggravating factors we can expect this process to be even more difficult th...

Apachez

Also UDP is the raw mode of sending and receiving packets on the network. Using TCP the kernel will take congestion control and other stuff into account for you in order for you to not lose packets - with UDP you must do this coding yourself. Lately improvement in such algorithms goes faster than ne...

Apachez

Perhaps a case of asking the same question multiple times until she gets the answer she is looking for?

Apachez

You mean CRS ? CSS is a SWOS only device.

What is your testing method ?

CSS326-24G-2S+RM seems to be a SWOS only device:

https://mikrotik.com/product/CSS326-24G-2SplusRM

While CRS326-24S+2Q+RM can do both SWOS and RouterOS:

https://mikrotik.com/product/crs326_24s_2q_rm

Apachez

That ether1 which is interface labeled mgmt/boot on the device sits on another switchchip (atheros) connected to the mgmt-cpu. Your bridge (and you should only have one) will act on the marvell switchchip to which you must add all interfaces except for that mgmt/boot one. Thats the case on CRS326-24...

Apachez

I’ve recently set up a MikroTik router for my home network to play the Nulls Brawl game, and I’m concerned about potential security vulnerabilities. I’ve configured the basic firewall rules and updated the firmware, but I’d like to know more about advanced security measures. What are the best pract...

Apachez

https://help.mikrotik.com/docs/display/ROS/Scheduler Note: if scheduler item has start-time set to startup, it behaves as if start-time and start-date were set to time 3 seconds after console starts up. It means that all scripts having start-time is startup and interval is 0 will be executed once ea...

Apachez

Yes thats what my (and Mikrotiks) default-configuration script do:

/interface bridge set bridge1 auto-mac=no admin-mac=$tmpMAC;

Apachez

Thanks! So then we can hopefully rule out that this would be some kind of misconfiguration on my side. Question is how the quality assurance works over at Mikrotik or how their config to validate this feature looks like? I have also filed a support ticket SUP-156966 on 24th of june which gives that ...

Apachez

Hi all,

Is it possible to disable the terminal prompt, like in Windows shell with the "echo off" command?

Thanks.

Max

How do you mean?

Like that it should echo back when you type on the keyboard?

You can enable api-ssl instead of using ssh for the scripting.

Apachez

Got a good manual on how to create stencils for more models?

Apachez

Also note that except for the limits of when you cant enable L3-offloading (VRF, MLAG etc) once you do the options are limited when it comes to number of routing entries, ACL's and whatelse. So currently I see the CRS series as a L2+ option. Mikrotik never comes anywhere close to lets say Arista in ...

Apachez

VPP is just a frontend towards Intel DPDK which means that you set aside cores from your onboard CPU to not be part of the kernel processing. This means that alot of the kernel and userspace overhead is removed for these cores which means that they will maximize performance for a single task such as...

Apachez

Auto-mac=on will pick any available mac-address of your device. There is a slight chance/risk that different interfaces will be picked during (re)boots. Which means that your Mikrotik mgmt-interface might have different mac after a (re)boot which might be a bad thing (for example if it sits behind a...

Apachez

That would break the basics of PKI.

Perhaps you can add these as a pool of users?

Apachez

Would be interesting if you got an old backup available to compare what the difference became to your working config?

Apachez

With that being said looking at the restore script from Mikrotik even if they manually set the admin mac they still pick the first available mac from the device itself. Below is my modified edition: :global myFOUND "0"; # # Function to display and log messages # :global debugMSG do={ :put ...

Apachez

Well if you want to have two clients at once using one cert each then you must add it as two different certs.

Running the set command on already existing cert will alter parameters for that cert.

Apachez

Some user write a tons of script for character encoding/decoding and mikrotik add some commands on v7....

v6 seems still to be the LTS edition as of writing so no wonder why people needs to still reinvent the wheel when using RouterOS?

Apachez

Thats what I like with how VyOS presents changelogs. The userfriendly edition is displayed at their blog, example: https://blog.vyos.io/vyos-1.3.8-maintenance-release https://blog.vyos.io/vyos-project-july-2024-update But each change also points to their repo over at https://vyos.dev where you can f...

Apachez

https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWFeatureSupport should answer some of your questions. Unless you plan to use VRF, MLAG, VXLAN or Q-in-Q then your CRS switches should be able to offload L3 aswell - otherwise they will just offload L2. In your ...

Apachez

As you can see on the blockdiagram (go to mikrotik.com, click on hardware then switches then locate your model and finally select Downloads & Documentation and you will see the link to the blockdiagram etc) https://cdn.mikrotik.com/web-assets/product_files/CRS326-24S2Q_230231.png the two "s...

Apachez

Factory firmware is whatever thats available in your device in case you start over. Im not aware if a netinstall can wipe this (it should) but generally speaking when you update the routeros you can do another reboot to have the bootloader updated aswell. The bootloader is like bios if compared to y...

Apachez

Which software version?

Apachez

*) dns - added support for mDNS proxy;
OK，kill a container mdns-repeater .
Works well
Code: Select all
/ip/dns/set mdns-repeat-ifaces=bridge1,vlan1_iot

Tried that when using VRFs?

Apachez

You really shouldn't add your WAN interface to bridge. Bridge is a switch-like entity and joins all member ports into single ethernet domain ... so in principle traffic can pass between e.g. sfp28-2 and sfp28-1 without ever hitting firewall. And I don't think that's what you want to do. Thats why y...

Apachez

Cant you send remove commands at the same time something like (or whatever the syntax will be): /ip/service/xxx remove [find address=x.x.x.x] Im thinking lets say you have in total 5 IP-ranges to deal with but as you said one box will only allow one of these and another will allow three of them. Thi...

Apachez

At least you got a reply from support...

Apachez

Thanks, but - where to get winbox for mac OS???

Why not use webfig (www-ssl) and ssh?

Apachez

What version of SWOS?

Tried latest?

Same with RouterOS, tried latest as in 7.15.2 stable and is it the same issues?

Also what kind of issues?

Apachez

Note that this is a complete mess if you got a multivendor environment and want to use STP: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/spantree.html The IEEE 802.1D specification assigns 16-bit (short) default port cost values to each port that is base...

Apachez

According to the manual setting it to 0 should be allowed so Im guessing Mikrotik have another bug you should report: https://help.mikrotik.com/docs/display/ROS/Wireless+Interface wds-cost-range (start [-end] integer[1..200000000]; Default: 50-150) Bridge port cost of WDS links are automatically adj...

Apachez

After my move from 7.15 to 7.15.2 I keep seeing LACPtoSwitches: bridge RX looped packet - MAC 18:fd:74:78:3b:9b -> ff:ff:ff:ff:ff:ff VID 80 ETHERTYPE 0x0800 IP UDP 0.0.0.0:68 -> 255.255.255.255:67 LACPtoSwitches is a bond to a set of MLAG switches. 18:fd:74:78:3b:9b is my eth6 on my Router (5009) w...

Apachez

According to the feature support list over at https://help.mikrotik.com/docs/display/ ... ureSupport the answer is yes and no.

Fasttrack connections will be offloaded but everything else will go to the CPU.

Apachez

Perhaps someone from Mikrotik can enlighten us but to my knowledge the setting on switchchip level is the global on/off switch. Then when you have that at on you can disable individual interfaces with an on/off at port-level. So if the switchchip have this off and port X have this on the result is o...

Apachez

Will the same happen if you do something like this instead?

/ipv6 address
add address=::2 from-pool=v6prefix interface=bridge.vlan62
add address=::3 from-pool=v6prefix interface=bridge.vlan64

Apachez

At least putting ketchup on your schwarma is forbidden in Canada...

Apachez

Why on earth would you assign F1 to something else than to pass to the current window?

Apachez

Again, to me that sounds like something is REALLY broken with RouterOS if such steps are needed.

Apachez

I wonder if anybody else tested the speed of ROS 7, and 7.15.2 in particular, compared to ROS 6 (say 6.49.13)? it seems that the "visible config" (as shown by export command) sometimes doesn't correspond with actual hardware config (it seems that there's binary configuration blob which ra...

Apachez

You wont do this unless you do some sort of IDS/IPS interception (or forward the connections through a mailrelay of your own). You would either way need some TLS-interception aswell to inspect the content (most emails these days uses starttls between servers). Sure you could probably get a counter o...

Apachez

Technically for RJ45 its mandatory to use autonegotiation according to IEEE standard. So that should NOT be disabled. Also with autoneg disabled the auto mdi/mdix will also get disabled so you are then down to use the correct cable like a straight cable between your device and a host and a crossover...

Apachez

You math is a bit broken or you got some other major malfunction going on...

Apachez

If that pihole install is 3 years old I think you should update it before making a new attempt

Apachez

I fail to see why you are upset that somebody pointed out that your suggestion can be improved. Doing just the if statement as your suggestion will have clear limitations of the script not working as expected. Compared to doing it as a whilte statement. Most optimal is to NOT waste CPU resources and...

Apachez

I assume you also tried rebooting the Mikrotik device when setting autoneg=yes but limit the advertised to just 1Gbps/Full Duplex ? Aka "did you turn it off and on again?" :-) I have noticed that even if SFP/SFP+/SFP28 modules are supposed to be hotpluggable thats not always the case speci...

Apachez

For reference here is the full default script being used by Mikrotik in 7.15.2 stable when you run a reset-configuration and have "no-defaults=no" being set: [admin@Mikrotik] > /system/default-configuration/script/print without-paging script: #| Welcome to RouterOS! #| 1) Set a strong rout...

Apachez

ether1 which often is the MGMT interface On what brand? I never see ether1 as management interface on MikroTik product (on DEFAULT configuration, OBVIOUSLY). (or at least I've never seen one directly before) So the ORIGINAL MikroTik script for the default configuration does what it should. If you d...

Apachez

Personally I would solve this by running adhome (or pihole) or some other resolver as a container in your Mikrotik or prefered on a dedicated hardware (either as bare metal or as a VM guest). This way you have something that actually work and is not dependent on the lack of quality assurance which M...

Apachez

Reason why you failed previously is due to that both ARP and MAC entries are cached by switches and routers. The MAC entries for a particular interface is normally deleted when the interface goes down and same with ARP. But in your case if the interface doesnt go down (on the router) because you for...

Apachez

Do you have the SKU of these particular Ubiquiti transceivers?

Apachez

TTL in this case is also questionable (when it comes to caching) if its relative (reset when a new request is made) or absolute (the counter goes down to 0 no matter if there are cache hits or not). When it comes to DNS its often absolute as in the authoritive server defines for how long the resolve...

Apachez

And why should it cause it? The MikroTik script is intended for an unconfigured device, to which the script is applying the default configuration. Because the original script will pick any interface which isnt a slave, passthrough, loopback or contains the name "*bridge*" and if such inte...

Apachez

You really didnt read the OP (original post) did you? Here is the usecase: Mine is clearly more in line with the (incomplete) request. So what? No "loop" or "wait until" required. Don't make things up. He asked exactly "script that executes commands if router uptime is more...

Apachez

if you need reliable MLAG hardware go for cisco, extreme or if you need to be on budget ... fs.com speaking of fs... MLAG featuring switches: N5860-48SC (mlag or stack) S5860-48SC (stack) S5850-48S6Q (mlag) routing ... mikrotik switching ... cisco, fs, aruba, extreme Even if the same name FSOS , di...

Apachez

What you write is absolutely not in the OP, what are you making up? I need a script that executes commands if router uptime is more than one minute Help me please And on the other post that isa reply to your post: I need checked uptime. If the uptime was less, the command would not be executed This...

Apachez

Speaking of conflicts... how come the original script form Mikrotik picks one of the physical interfaces MAC-address and put it on the bridge - wouldnt this cause a conflict aswell?

Apachez

Without the loop your script will fail to execute if you read the OP's original intention to have the script being runned 1 minute after boot. The proper solution is to add the script as a scheduled task to be runned at "startup" which by ROS occurs 3 seconds after boot completed and in th...

Apachez

You do not specify RouterOS version. For v7 Simply... { :local ups [:tonum [/system resource get uptime]] :if ($ups > 60) do={ # ...script code... } } if the number is > 60... is more than 1 minutes that the device is up... for v6, since is just a string... { :if ([/system resource get uptime] > &q...

Apachez

Pro tip ... 1. Click "Design Skin" 2. Go to Resources 3. Click triangle button next to Version 4. Select "Add to Status page" Looks promising though I'm unable to locate any tab/menu called "Resources" in Design Skin mode.. Click on System -> Resources first. Then in t...

Apachez

Pro tip ... 1. Click "Design Skin" 2. Go to Resources 3. Click triangle button next to Version 4. Select "Add to Status page" now any variable can be your home screen. Fugly workaround... at least its one click away that way since the naming of the page wont display due to too l...

Apachez

Why is it important? Maybe somebody else has another "very important" variable they need everywhere. We can't cram everything in one screen. You have PLENTY of dead unused space below the button "Make Supout.rif" in the left menu - same with the area where the hostname is being ...

Apachez

Well if you will leak everything between your VRFs anyway then the purpose of using a VRF goes away and you could just have everything in the default vrf=main and call it a day.

Apachez

Its not about that this information is hidden behind 25 clicks in the webfig - its about getting this info in less than 1 click as in no click at all as with when you login through CLI/SSH you get it as the MOTD message.

Apachez

Worst place ever to place that info :D

Apachez

Then it sounds like you have some other malfunctioning going on in your config.

Apachez

Question is what is your purpose of using VRF with all these routeleaks?

Apachez

Try press any key or at least the delete key during the first 2 seconds during boot when connected with a consolecable to the unit.

From there (the bootmanager) you should have options to manually start etherboot or replace the firmware incl formating the storage etc.

Apachez

On the other hand RouterOS have existed since 1999 so thats about 25 years this year.

How many more years do you think it should take before RouterOS gets proper VRF support?

As a comparision Arista was launched in 2008 and have had VRF support since day 1...

Apachez

It is very useful. This is what you see when you login through CLI/SSH: MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III K...

Apachez

Here is a workaround if you still want to figure out the seconds since boot but again using a "delay 60s;" as first row in your script is much more efficient along with schedule that script as startup-script. :global myUPTIMESEC "0"; :global myTIMEOUT "60"; while ($myUP...

Apachez

Yes and delay of 3 seconds (once startup-script executes) + 57 seconds within the script before the rest of the script is being runned will give you that more than 1 minute has passed since the device got power on. If you still refuse to take the easy way out you can pick the uptime variable and hav...

Apachez

You can see how Mikrotik prefer to set it using "/system/default-configuration/script/print" (example below is from 7.15.2 stable): /interface bridge add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf; :local bMACIsSet 0; :foreach k in=[/interface find where !(slav...

Apachez

7.15.2 same problems...

Which is?

Apachez

Oh in webfig? He did not say it was about webfig... in winbox the version is in the title bar for both v6 and v7. In general it is not a good idea to reveal the version on a login page. Scanners and intruders use that to know if you are running a version for which they know how to break in to it. T...

Apachez

The physical ports on the device are wired to the switch chip so packets will always pass through and be processed by the switch. The underlying architecture has a single interface beween the switch chip and CPU - the ether1..etherX interfaces shown in winbox/CLI are logical interfaces, the driver ...

Apachez

I wish everytime someone tried to create vlan1 on the router, it would spit out an audio recording of this............
https://www.youtube.com/watch?v=EfYtMLe7gqI

Or like this

https://www.youtube.com/watch?v=nP_JN6TKQFw&t=37

Apachez

Yes, thats how VRF's often are used to setup 2 or more "virtual" routers in the same box or for security reasons where you want to isolate the mgmt-interface as much as possible against the customer traffic or if you want to deal with multiple customers at once in the same box where they a...

Apachez

Normally you dont want leaking of routes between VRF's. Also for this to work the service itself must allow for the leaking syntax as in x.x.x.x@VRF which for example the logging service currently doesnt (I have raised a feature request about this). Another dirty workaround is to use your "main...

Apachez

https://help.mikrotik.com/docs/display/ROS/Scheduler Perhaps add it as a startup-script in the scheduler which will run it 3 seconds after boot but the first line in your script is something like: delay 57s; Then have the rest of your code which gives that the script starts 3 seconds after boot then...

Apachez

The way to deal with such scenario is to use VRF's. Note however that VRF's are somewhat broken in ROS 7.x so not all services supports VRF's once you choose to go that path. For example the /ip/dns service doesnt support VRF (it claims it does since 7.15 but its broken), same with ip/ftp (no suppor...

Apachez

My bad, checked it on another winbox.

SSTP was enabled. I've disabled it and nmap stopped showing port as open, curl also started refusing connections.

Thank you guys!

Glad that it got resolved

Apachez

But you got "enabled=yes" for that SSTP according to the CLI config and I would trust that more than winbox. You could try to enable www-ssl and set that to a different port like 8443 or such and login using https://<mgmt ip of device>:8443 or whatever port you select and see what webfig t...

Apachez

Try something like:

/export terse show-sensitive verbose file=flash/custom.rsc

And then download that through webfig or scp and finally search the file for "443".

Apachez

Well whatever syntax they prefer but its a mess that one line of config use "enabled=no" to disable a feature while the next line uses "disabled=yes" to do the same thing...

Apachez

It matters because the web-proxy wants a layer3 interface to use to listen for incoming connections.

And you configured that to be 192.168.88.0/24 as address which is not valid.

You would also need a routing entry so the webproxy can reach whatever you want it to proxy for the clients.

Apachez

I have never during maaaany years of networking had the need to have MVRP enabled.

Whats your usecase that you want to enable MVRP?

Apachez

It's not a config issue, its something inherent to the 6.49.x firmware If I take a problematic router and downgrade it to 6.48.x or upgrade it to 7.x with no changes to the config at all, it works fine Every single device regardless of what it is or what config is in place it does not work with 6.4...

Apachez

Only way to get proper attention is to create a support ticket.

I have tried... only 1 out of 3 tickets got a reply for the past 3 weeks...

Apachez

Thanks! In my case I have created a script based on output of "/export terse show-sensitive file=flash/custom.rsc" where I noted during cleanup that some guides (perhaps outdated?) wrote the find the same as the /export (in 7.15.2 stable) do as in "[ find default=yes ]" while som...

Apachez

When doing /export one can often see something like (example from 7.15.2 stable): /ip smb users set [ find default=yes ] disabled=yes But the above can also be written without that "default=yes" part like so: /ip smb users set [ find ] disabled=yes But whats the difference? At first I thou...

Apachez

Whats the purpose of a negative overhead?

Like if your linux kernel have some vlan tagging offloading for the nic so the kernel doesnt handle the vlan at all but the nic will?

Apachez

25 seconds is often related to STP so I would call that as a prime suspect.

Try setting "edge=yes" on all interfaces (just as a test) and see if the downtime goes down to below 1 sec ?

Apachez

In that case (again without Q-in-Q config since I have not much experience from that with Mikrotik) something like this: # Create the bridge /interface bridge add arp-timeout=4m frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes # Add interfaces to bridge /interface bridge port add ...

Apachez

In that case (again without Q-in-Q config since I have not much experience from that with Mikrotik) something like this: # Create the bridge /interface bridge add arp-timeout=4m frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes # Add interfaces to bridge /interface bridge port add b...

Apachez

I was referring to R1-R3 (L3/BGP). L2 VRRP/LAG should kick in pretty much instantly. BTW, what do you mean by upstream LAG in this scenario? When I use MLAG I set it up as (example with Rx upstream, SWx being MLAG and FWx being downstream): SW1 connected to R1 with LAG1 (LACP) and R2 with LAG2 (LAC...

Apachez

I havent done Q-in-Q with Mikrotik (yet) but below should work for your first two vlans (regular tagged and untagged): # Create the bridge /interface bridge add arp-timeout=4m frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes # Add interfaces to bridge /interface bridge port add bri...

Apachez

How is your ssh config of your Mikrotik and how is that client software configured regarding its ssh-client?

Apachez

I dont know if MLAG with Mikrotik is different from other vendors but point of using MLAG is having 2 physical devices to behave as 1 logical unit. That is with MLAG I would normally just configure IP-addresses on the VLAN-interfaces and have the MLAG-cluster doing regular L3 routing. This way you d...

Apachez

Exposing RDP and similar remote desktops over the Internet without any proper encrypted VPN in between is a VERY bad decision to make. Have the clients use wireguard and terminate the encrypted vpn as wireguard on your Mikrotik and then from there let them handshake with the RDP service of the host ...

Apachez

And because of my post I finally find out how to do it:

/console/clear-history

Apachez

So ehm any progress on this now when we have RouterOS 7.x? Doing a: /system reset-configuration keep-users=yes no-defaults=yes skip-backup=yes run-after-reset=flash/custom.rsc Doesnt seem to erase the terminal history at all which remains as others have noted years ago. On a regular linux system you...

Apachez

The broken VRF-support för /ip/dns have been confirmed for both CRS326-24S+2Q+ and CRS112-8G-4S using both RouterOS 7.15.2 stable and 7.16beta4 testing.

Anyone in here who managed to get it working on these or some other Mikrotik model?

Apachez

You mean the ISP router waits for RA from your Mikrotik? Another thing to lookup/verify is if your ISP actually sends you a public nexthop to be used as gateway for your Mikrotik or if they rely on linklocal address instead (which lately seems to have become a thing among ISP's)? No, what happens w...

Apachez

Noone is blaming anyone, only pointing out that the current firewall rules seem incomplete ... You mentioned "compared with default configuration" and I was pointing out that CRS devices don't have any default ... meaning that an unsuspecting fresh ROS user (without experience with MT dev...

Apachez

Ergo, IPv6 is way borked in 7.16beta4. I have to pull back from this statement until I do further testing. My ISP also changed the way they issue default routes for IPv6 and so I now I don't know if the core issue was 7.16beta4 or the ISP change. This particular ISP now requires that IPv6 DHCP and ...

Apachez

I found this that can output to a local file but its not really what Im looking for: https://github.com/joncutrer/perfectrestore All I want is to be able to print to the console various stages of my custom.rsc when being runned by reset-configuration. It works when I run it as /import after I have l...

Apachez

In the Switch side the TX Power is -7.146dBm and the RX Power is -40.000dBm and the Router side the TX Power is -5.738 and the RX Power is -40.000dBM Is it mandatory to use a MikroTik SFP in order for the connection to work? Not that I know of. You could try to loop the interface to see if you get ...

Apachez

How does it write to the terminal, if the script is launched from an internal session? You have to launch it in the terminal yourself, if you want to see the results of the script. Same way as whatever is writing "Resetting configuration..." to the console? After all its a regular linux i...

Apachez

No, seriously - who asked for DLNA? Who needs DLNA in the main package of the router? Without ability to turn it off? Is it really that hard to keep routers for routing and separate packages for other unnecessary functions? Every single unnecessary feature increases attack surface and helps bad guy...

Apachez

Thanks.

Connect RJ45 to ether1 and console cable to well CONSOLE and then through the console cable:
I only have 8 RJ45 ports, 1 USB port and 1 SFP port.

Then connect to the first RJ45 interface, that should be refered to as ether1 internally.

Apachez

I never understand why 24V devices exist... Why not 48V which is standard ? It's PITA when you, for eg., have PoE switch and than PTP antennas are 24V... Because sometimes companies like Mikrotik dont wait until a standard is set through RFC etc and start to use pre-standard setups which later on t...

Apachez

I found out the router kept my exported config file so restoring should be easy. It even saved a pre-reset backup file but I can't edit that one I would do something like this: Connect RJ45 to ether1 and console cable to well CONSOLE and then through the console cable: /ip address add address=192.1...

Apachez

I pasted this previously on reddit but in case somebody else runs into this and are new to Mikrotik devices (and RouterOS). With Arista/Cisco/HPE/Juniper/VyOS and others you can move the config of one device to another by: 1) On the box itself: copy running-config startup-config 2) Then copy startup...

Apachez

To mimick the behaviour of copying a config from one device to another Im utilizing reset-configuration in Mikrotik like so: /system reset-configuration keep-users=yes no-defaults=yes skip-backup=yes run-after-reset=flash/custom.rsc However I fail to get the script to output info to the console whil...

Apachez

Please accept my apology. Still unclear if supout.rif was attached to that SUP, but I am sure Mikrotik will request it if missing. Sorry for going slightly offtopic but what is the expected turnaround time to get a response from support? I filed this /ip/dns VRF-failure bugreport almost 2 weeks ago...

Apachez

Delete sfp-sfpplus2 from the /bridge/ports list, then you can create a new bond interface where sfp-sfpplus2 is a member.

Apachez

Ah, before I forget, for the same reason (DNS not working) I couldn't update the RoS from a internet connected VRF and had to go through "main" (that was on 7.12.1, but if things have not changed (yet) with 7.15.x, the issue should remain the same. Yes, that seems related to the broken VR...

Apachez

Seems to reply to pings now at 2024-07-05 08:05 CEST.

Apachez

As my comment on similar topic in /r/mikrotik over at reddit: Plenty of CVE score 9+ when it comes to Juniper and Cisco equipment aswell for the past years. Snowden docs was only the top of the iceberg with examples such as: https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-...

Apachez

L3 Hardware Offloading L3HW Feature Support VRF N/A Only the main routing table gets offloaded. If VRF is used together with L3HW and packets arrive on a switch port with l3-hw-offloading=yes, packets can be incorrectly routed through the main routing table. To avoid this, disable L3HW on needed sw...

Apachez

Only as a note, since dns is not working, also NTP is a problem, as you need DNS resolving to use servers such as pool.ntp.org.

Thanks, added it to the original post.

Apachez

Looking through the list over at https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328206 I have currently located these services as missing proper VRF-support, that is when you for example create a VRF such as "VRF-MGMT" and expect the service to only exist at VRF-MGMT rather th...

Apachez

Im not 100% into Mikrotik lingo yet but when speaking about fastpath/fasttrack and firewall (iptables/nftables) thats more about not having to evaluate as many rules as you normally need to. For example having allow estalished/related as the first rule is a "fastpath" setting - but the pac...

Apachez

Im guessing noone in here are using /ip/dns along with VRF?

Apachez

https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading Feature: IPv4 Firewall Support: FW Comments: Users must choose either HW-accelerated routing or firewall. Firewall rules get processed by the CPU. Fasttrack connections get offloaded to HW. Release: 7.1 Feature: IPv4 NAT Support: FW C...

Apachez

how to reproduce? If you refer to my comment, there is no step to be taken for reproduction.. it just happens continuously after power on! If possible try to in a lab setup your own authoritive DNS server for the zone lets say "example.com" and then have a client using your Mikrotik as a ...

Apachez

Well, after MikroTik being in the field of router software development for nearly 30 years we could kind of expect that the developers have gotten around to setting up some automated test environment that runs a series of regression tests before even a beta release hits the download servers. They m...

Apachez

And what would the PoC show do you mean?

Apachez

Most likely due to that the DNS-service that is /ip/dns in Mikrotik have broken VRF support. So it currently only work for VRF=main. It was supposed to have been added in 7.15 stable but the quality assurance over at Mikrotik have work to do (its still broken in 7.15.2 stable and 7.16beta3)... I hav...

Apachez

Except for regular hardening as in disable services not needed (there are a few) and adding firewall rules another option to enhance the security or rather the segmentation is to use VRF's. Unfortunately not all services supports VRF today (as of 7.15.2 stable) such as DNS (currently broken), FTP an...

Apachez

Usually you dont want clients to speak to each other. That is at the layer2 switches you use something called port-isolation (or protected vlan which is a specific subset of private vlan) so the clients can only speak upstream. If that is the case in your case I would just do regular VLANing on the ...

Apachez

No. Mikrotik is not affected by this vulnerability

An official statement at mikrotik.com would be a better source than some random forum member (no offense but still

Apachez

A workaround would be to at least add it as a textarea so that you can write the stuff through winbox/webfig. Setting up rules through GUI is less efficient and troublesome where copying a single (or multiple) row(s) and do the changes textual is way faster. One could even argue if the admin doesnt ...

Apachez

But at the same time these "betas" fixes critical errors found in the "stable" releases - which gives? Should I use a "stable" release who is more broken than the "beta" release who is just slightly broken? Which one would you recommend to be used in production?

Apachez

If you click on the group tab - whats the difference between full and admin? I would probably try to extract the current config and then import it back with "keep-users=no" (dont forget to add a custom user to your rsc file). Doing a fresh netinstall is probably a safer bet to just wipe th...

Apachez

Can you provide the log you are refering to since both screenshots shows the same network diagram?

Apachez

Somewhat of a workaround is if you use VRF for your MGMT-services then you can define "pref-src" when you define the routing table for that VRF i /ip/route. But I fail to locate any up2date info of that setting at https://help.mikrotik.com Only locate this at https://wiki.mikrotik.com pref...

Apachez

@Apachez are you the same Apachez on VYOS forum, if you are I'm glad you are here too

Yup, thats me! (failed to find how to send you a DM so the reply is public instead).

Apachez

Sounds like really nice features to have specially on the switch-series. Port-security with both dynamic (that resets when disconnecting interface) aswell as sticky (to be included in the config and survive a reboot) along with DAI (Dynamic ARP Inspection) and IP Source Guard are really nice feature...

Search found 206 matches