If we reload the same RouterOS version onto the router and reboot will that reload the OS and clear these things?
We are running 6.46.8 (Latest long term)
This is an ISP network so not real chance of looking at PCs.
However the traffic is originating from one of the router interface IPs.
I suppose the destination IP could be miss categorized by Kentik.
We seem to have several routers that are infected with the bot RemcosRAT talking out to 192.169.69.26.
Our Netflow tool observed the communications. That is how we know.
Anyone else noticed this?
Trying to find a good way to see if the other routers are infected.
In our CCR1036 devices, DHCP does not always populate the ARP table. ARP table entries are critical in our setup. Or the ARP table entries are disappearing despite the longer timeout setting on the DHCP bridge. Actually, thinking more and more that the ARP entries get added to the ARP List but later...
Anyone find a solution to this. Have same problem with a CCR1072 on 6.46.7 advertisements print show nothing to upstream peer and the upstream is receiving the prefixes and traffic is flowing as expected. Strange thing is we have another CCR1072 peering to the same upstream on a different circuit an...
This is still a problem in 6.44.6
Its pretty sad that a simple packet sniff operation brings this big powerful router to its knees and crashes it so bad that it needs a power cycle to recover.
Ok, This is a strange one and hard to reproduce. Symptom: PPPoE authentications are failing against our off site Radius server. We can reboot the router and everything is fine again. During investigation and while the router was in the state, I looked to see if there was a more current version of Ro...
We have seen this also but not in a while. We reworked Firewall filter rules to get the CPU load down and it go more stable. Problem seems to be worse when the CPU load is highest. And using packet sniffer with Winbox drives the CPU up and can crash the system as well. Also it does seem more stable ...
Has anyone else experience the CCR1072 running 6.43.8 and the previous couple releases, becoming unstable and crashing (total hang up requiring a power cycle to recover) when running packetsniff? A big clue is the CPU goes to 100% when running packet sniff. Even a sniff that results in a rather smal...
we have 6.42.7 updated this morning.
I'm noticing that our BGP blackhole peer with our upstream is not sending withdrawal from the network list like it used to.
was able to determine its not the number of /32 prefixes, it was the script that looks at my address list and puts those addresses on the prefix list https://forum.mikrotik.com/viewtopic.php?f=9&t=115521&p=680382#p680382 I was running the script every 10sec but it takes over 2min for the scr...
Tried your script, seems to work well.
Any reason it takes 2.5min to run on a CCR1072.
Adding 120 prefixes from my address list.
Does that seem right?
I can only run it every 5 min.
we seem to get hit by DDoS attacks to a large number of IPs at the same time. Some are assigned IPs and many are not. In any case, we want the ability to black hole several hundred IPs at once. Our upstream allows upto 200 at the moment. However, with 100 or so /32 prefixes on the Mikrotik (CCR1072 ...
that first mangle rule /ip firewall> mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=ddos-source address-list-timeout=6h in-interface=NETIX log=no log-prefix="" sure seems to put alot o...
dst-nat is performed as the frame or packet enters the 'Tik, so the mangle rule assigns the packet-mark to the packet too late, after it has already passed the dst-nat chain. So a single rule like /interface bridge nat chain=dstnat action=dst-nat to-dst-mac-address=FF:FF:FF:FF:FF:FF mac-protocol=ip...
I've got a phone server on our network that uses the subnet broadcast address to send info to the phones on the local subnet. However, its sending the packet to desitination MAC of the gateway router (MT 2011) and not FF:FF:FF:FF:FF:FF so the phones never see it as the switches forward the frame onl...
It could be but I dont see the traffic going up much.
I have a bunch of rules to detect if the traffic goes up to an unusual level and captures stuff into files assuming its a DDOS attach.
It could be a low volume attach designed to drive a Mikrotik crazy, I suppose.
We have a CCR1072 running 6.40.5 on the edge of our network. This router typically has 2.5-3Gbps of traffic running through it. Many fw rules and does NAT for customers on private addressing. about 1-2 times per month it randomly jumps into a mode where the CPU goes from the normal 7-8% up to 60% ra...
We have a CCR1072 running 6.40.5 with an S+31DLC10D SFP module to communicate with our upstream proider. Our upstream started getting receive errors over the last couple of weeks and its really climbing the last few days. ON our side we see Tx Power -4.483dBm Rx Power -3.951dBM Our upstream sees thi...
There seems to be an issue with SNTP getting synced in this version. I use a script to periodically set my server IPs to us.pool.ntp.org and time.nist.gov script works fine but router simply wont sync any more after upgrading from 6.30 to 6.32.2. Well, turns out I forgot to do the Routerboad fw upd...
There seems to be an issue with SNTP getting synced in this version.
I use a script to periodically set my server IPs to us.pool.ntp.org and time.nist.gov
script works fine but router simply wont sync any more after upgrading from 6.30 to 6.32.2.
We are setting up Hotspot to authenticate the MAC of our CPEs. We do Not want users to get a splash page and “log in”. It needs to be automatic authentication to the Radius server. If the MAC is in the Radius server, then authentication should work. Sometimes the MAC/IP shows up on the Hosts list bu...
I believe this is part of the flow contol mechanism that was added to Ethernet interfaces in RouterOS 6.12+ Not a new concept in Ethernet but new to MT. I had this issue on one of my CCR1036 interfaces connected to a SAF backhaul. The SAF turns flow control on (no option to turn it off) and I had no...
Customer were complaining about download speeds being terrible. Mostly around 1-1.5Mbps. No matter what their queues are set to. I have a computer at the a tower site so I was easily able to verify this. Also AirControl tests to CPEs confirmed. I think this is related to 6.18 as I upgraded over the ...
Each tower has a router that connects to one or more upstream towers and is the primary interface to the customers. There is one interface that is customer facing. the firewall filters are primarily to protect the infrastructure, not the customers. Most customers are on private addresses so we NAT a...
Its rule 10 that causes all the trouble. # nov/ 4/2013 21:10:13 by RouterOS 6.5 # Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Established input chain=input action=accept connection-state=established 1 ;;; Established forward chain=forward action=accept connection-state=established 2 ;;; Rela...
anyone having trouble with a Firewall filter rule like this add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid This absolutely creates much trouble with my customers traffic. Seems to kill all sorts of valid traffic including my AirControl traffic to ...
Tried MTU of 1500 and 1460. No change. Testing to MT493AH. From the PC to the local MT493AH I get around 78-80Mbps each direction. To the remote MT493AH on the other side of the Motorola licensed MW link (100x100 full duplex) I get about 18x16Mbps. I know its not the link as the customer traffic run...
yeah, but it also does it on the Motorola Licensed 100x100 full duplex link.
And I know the link supports >15-18Mbps data because at peak times, I see around 25-30Mbps customer traffic.
I use MT routers in various places in my networks. In areas where they are just routers (no wireless cards), when I run bandwidth test between two 493AH routers (both on V4.5) that are connected to the same HP switch, the speeds look great. But in 3 different places when I run across either a Ubnt l...
Where you ever able to get the Shrewsoft VPN client to connect to ROS?
I've not very knowledgeable about IPsec setups so I need to know if it is possible.
If it does work, are there step-by-step directions somewhere?
I'm applying firewall rules to a bridge and all seems to work well. Can anyone tell me what exactly the Connections tracking window is telling me. My default TCP Established Timeout is set to 1d 00:00:00. That seems too long. I just want to see how many active connections there are. What should I us...
Put v4.6 on my 750 and it would no longer talk to my Motorola PTP800.
Very strange as it would talk to my Ligowave device and my PC, just not the PTP800.
Had to abort 4.6 to get things working again.
I'm running Dude 3.1. When I test the notifications I get the proper syslog and event log entries but not all notifications are sent by email. I test by taking 5 devices down at the same time but I only get 2-3 email alerts and not all email addresses listed get the alert. Its a bit random as to who...
Please add ability for syslog server to receive TCP syslog messages.
Some network appliances, such as Mobotix cameras, only send syslog messages using TCP.