MikroTik

texmeshtexas

Yeah, my point exactly. Bambenek went paid. I pay for it and its not that expensive. couple hundred a year. we strip RFC1918 addresses from all lists. As well as 0.0.0.0/0 and ::/0 as I've seen those show up before. I just whitelist Loopback and Multicast ranges if needed. Every implementation shou...

texmeshtexas

Firehol is all public available open source. I'm not trying to make money on the lists. Just cover my costs to bring it all together, clean and format the lists for MT. Alright, but the FireHOL Level 1 page starts out with, "includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus...

texmeshtexas

For example, how would you know that a contact attempt from an unknown IP is a phishing or Bot C&C server or a malware distribution server. Takes more sophisticated systems to determine these things. There are hundreds of organizations and company's around the planet that focus on threat intell...

texmeshtexas

Hi Mozerd, I could really never tell what exactly makes up the MOAB list. I was under the impression it was just the firehol lists. Not sure where I got that impression. Tell me if I'm wrong. @texmeshtexas greetings 😀 You are not wrong …. But do you fully understand what makes up firehol …. [Overla...

texmeshtexas

Flashstart is just one provocation... ;) *********************** But most infiltration attacks start with a simple probe to see if they can get in. This means that there is some basic error in the network configuration. Everything must be blocked unless explicitly admitted, so the IP list is absolu...

texmeshtexas

You are not the first one: https://forum.mikrotik.com/viewtopic.php?t=98804 and then the setup did not gain enough support to be continued. Very different. I am not trying to create the lists my self. I rely on organizations who run Honey pots, or actively probe, or use AI to determine indicators o...

texmeshtexas

Hey all, i have a question. For the last couple of years I've been building a system that I've been using for 2 business and my own home office. ......... How many would be interested? I more than welcome the competion ... :D MOAB ... MOAB blocks over 600 million Bad Guys from attacking your Intern...

texmeshtexas

Also some paid lists from Bambeneck Consulting, AbuseIPdb, MalwarePatrol I may offer 2-3 different mixes of lists that may be more suitable for your specific needs. I'm thinking about US$100/yr or US$10/mo. This is a scam, I don't think that whoever provides you with the paid lists agrees with the ...

texmeshtexas

I'm thinking about US$100/yr or US$10/mo. Flashstart cost much less and is better implemented all over the world. Flashstart is a DNS filtering system. Not IP based. I actually run both using either Quad9(free no reporting) or NextDNS($20/yr but has controls and reporting). DNS filtering is a bit t...

texmeshtexas

Hey all, i have a question. For the last couple of years I've been building a system that I've been using for 2 business and my own home office. I take all these OSINT list from many sources like firehol1,2,3, Spamhaus, Emerging Threats and more. Also some paid lists from Bambeneck Consulting, Abuse...

texmeshtexas

I still use the date stamp right in the release notes that are accessed by the update command. Works perfectly. #This script looks to see if there is a RouterOS update available, if so, it takes the date stamp from the release notes and calculates the nuber of #days since the release. Then will upda...

texmeshtexas

I'm still using the script version that extracts the date from change log, not the URL. Seem to be still working just fine. At the moment. But MT could change that too.

texmeshtexas

:put [:tonum [:timestamp]] does not work for me. Returns nothing. that is on V7.11.2

texmeshtexas

Makes since to me. Remember EPOCH is in seconds

:put [$unixtodatetime 1693490147] --> 31/08/2023 15:55:47
:put [$unixtodatetime 1693482947] --> 31/08/2023 13:55:47

1693490147-1693482947 is 7200 which is exactly 2 hours.

texmeshtexas

Some of the old /file statements should have been deleted. Not needed anymore. Just left over from V1 of the script.
Should not need any file operations anymore.

DSR was define, just not at top. I moved it.

Script updated.

texmeshtexas

Ok, that is rather helpful. I've reworked the script to use current date and the log date to determine days since release. I'm naming it "RouterOSupdateV2" I just put the two functions in the script but they could be in a "run at boot" script to make them more global. #This scrip...

texmeshtexas

Trouble is the date format in the changelog is different than that in the router "2023-Aug-31 16:55" has to be converted to "2023-08-31 16:55" found a script from @rextended to convert to epoch to do the math but even that does not like the "Aug" format. the datetime2ep...

texmeshtexas

I think I figured this out
script does not like this date format that comes from MT changelog
2023-Aug-31 16:55

:put [$datetime2epoch "2023-Aug-31 16:55"]
1672228500

:put [$datetime2epoch "2023-08-31 16:55"]
1693482900

texmeshtexas

That his script doesn't work when timezone is negative, @minks do not do probably any test.... And also have some other errors, so I write my own version on previous post on this topic & related new versions on links. For example, if you live on GMT-04:00, the script if is queried with apr/22/2...

texmeshtexas

Edited for simplified version Nice! Should not be more useful to pick just the date and compare it with the current date [/system clock get date], than if the date is X days after the release, install? Yeah, was starting to work on that but have not worked out the :pick of only the date without tim...

texmeshtexas

There would be a solution to get the build date: # Get the Changelog of the latest version of the package and save it in a text file. :local latest [/system package update get latest-version] :local changeLog ([/tool fetch "http://upgrade.mikrotik.com/routeros/$latest/CHANGELOG" output=us...

texmeshtexas

Ah now I get it. If version X is latest version and after 30 days the same version is STILL the latest version, then upgrade? It makes sense, but also this situation will not be common, as we release new versons for other reasons too, not just because of problems. I still stand by what I said, if y...

texmeshtexas

instead of working with a file, you can use a layer7 to save a variable But what's the point of saving a file or value in layer 7 just to know how many days ago that version was released? For example, reading just data inside https://upgrade.mikrotik.com/routeros/LATEST.7 You obtain "7.11.2 16...

texmeshtexas

Nice idea for a scripting exercise, but just to let you know - MikroTik does not do this. There is no re-release or version pull. We always release a new version. Yes, I know. my intention was to wait until a new version was out for X days before updating. Its been my observation that if there was ...

texmeshtexas

I understand blind updating can be a problem. I'm just trying to protect from a release that had a short life and had serious bugs that got fixed in days or weeks.
Feature changes that can break things, yes, have to test that stuff, and I do.

texmeshtexas

I've had a script to check and install updates but I added functionality to update only after the release has been out for a period of time. I do this to avoid installing a release that has bugs and has to be released again or pulled. I run this script daily so it can count the days from the last up...

texmeshtexas

Ok. Thanks. Just figured if the firewall sees it and acts on it, why not report it.

But not super important.

texmeshtexas

I have a question about what I should be seeing as far as traffic on the bridge. I have a CCR2004-16G-2S+ running v7.11 This model does have a switch chip with Eth1-9 on switch1 and Eth10-16 on switch2 I use the device strictly to filter bad IPs to/from our internet connection like this. LAN Sw-----...

texmeshtexas

Ah, the "in" operator. that is what I needed. Thanks.

texmeshtexas

Does anyone know of a way to remove any RFC1918 address from an existing firewall address-list? Example list contains 10.0.2.1 192.168.3.11 I dont necessary know what the IPs on the list will be but if they are in the RFC1918 range, I want them removed. just doing this /ip firewall address-list remo...

texmeshtexas

Thank you Rextended, that works perfectly! I was not aware of the "in" operator.

texmeshtexas

I have seen this post viewtopic.php?p=287021&hilit=find+addre ... gs#p287021
and it does not seem to work either.

texmeshtexas

In winbox if I filter in /ip/firewall/address-list for and address that is part of a subnet, it displays properly. Example: filter for 100.72.58.74 there is an address list that contains 100.64.0.0/10 so the list and subnet to which that IP is part of is displayed. However, in a script I'm trying to...

texmeshtexas

I found what I think is the primary issue. As I'm using a collapsed config at the edge, my core network and edge and NAT are the same router. I have some firewall rules to help protect the network from bogons, bad ports, etc. one of the rules, and I thought this one was gone long ago, was a PSD (por...

texmeshtexas

rp-filter should be set to loose mode for assymetric routing. But overall, assymetric routing is bad traffic engineering. What you should do is announce the largest possible aggregates of all your prefixes to both upstreams, equally without prepending or more specifics. More specifics should be use...

texmeshtexas

make sure you dont have rp-filter enabled

check it on

ip -> settings

also try disabling any firewall rule in chain forward dropping invalid packets

thanks, not dropping invalid.

texmeshtexas

Do have a bunch of fw filter rules that rely on conn tracking. Traffic is not natted. thank that could still be the problem? Absolutely. NAT is not relevant to the problem. Doing connection tracking (and thus accepting established/related connections and somewhere down the road dropping the remaini...

texmeshtexas

RP was set to loose and I have default route installed from upstream BGP peer so really does nothing. Turned off for now.

texmeshtexas

Do have a bunch of fw filter rules that rely on conn tracking. Traffic is not natted.
thank that could still be the problem?

texmeshtexas

I have a strange problem that I wanted to get input on. I have two edge routers. One is peered to one upstream ISP1 and the other to another ISP2. Both using default route (not full routes) I want to advertise all prefixes to both ISPs but I get packet drops that cause certain sites to not load righ...

texmeshtexas

good question for @smatter or @rextended

texmeshtexas

that list is not in CIDR format and will not work on this download script. Firehol also has a copy of dshield in their format see if that works https://iplists.firehol.org/files/dshield.netset I tried this but it only downloads the first 3 entries for some reason. $update url=https://iplists.firehol...

texmeshtexas

Took this and turned into a function that can be called from any script on my MT if the script to create the function is run on boot. #create the timestamp in format YYYY-MM-DD HH # :global timestamp #: local mytimevariable #usage: :set mytimevariable [$timestamp] :global timestamp do={ :local currt...

texmeshtexas

actually, tried the jump to a non existent chain that that works perfectly.

texmeshtexas

I have several rules such as this in my CCR2116 device (running v7.4.1) /ip firewall raw add action=drop chain=prerouting protocol=tcp dst-port=80,443 in-interface-list=BR_ALL comment="Bad domain" content=abvrnnyf.com add action=drop chain=prerouting comment="Inbound blocks" in-i...

texmeshtexas

I use a CCR2116 unit with V7.4 as a bridge filtering only device for added security at the office. I pass traffic through two ports on the same bridge with firewall rules applied to the bridge. No Fast-Foward or HW offload or Fast-Track being used. Only Use-IP-Firewall on the bridge. I load some IPs...

texmeshtexas

Ok. thanks for some clean up. I use the :do {} on -error={} because I pull these list from our server, which firsts downloads from the source. the server has code then reformats to an .rsc file I pull down a .rsc file and import that. Occasionally there have been errors in the data. Not so much with...

texmeshtexas

I think I just discovered the problem. the final :if do curly bracket should have been at the end of the last line as it is here. why it behaved differently in the V6.49.6 box is very strange. #The specific comment search is much faster. But does not work in V7 #:foreach b in=[/ip firewall raw find ...

texmeshtexas

Here is more of the script. What I'm trying to accomplish is count the number of blocked packets. #count number of blocked domains. :log info "*************** Compiling blocked domains *****************" :local b 0; :local blkd 0; :local dname 0: :global Tblkd 0; :global Blkdomain "&q...

texmeshtexas

get the same exact result when I change to this :foreach b in=[/ip firewall raw find where comment="Manual_domain" || comment="TV_domain" || comment="BAM_C2_domain" || comment="BAM_Phish_domain" || comment="BAM_Mal_domain"] do={ matches everything on...

texmeshtexas

Hey gang, I'm running a 2116-12G with V7.4 I have a script that runs hourly that looks through and counts up the number of domain blocks from my Raw rule filters. This works perfect in V6 This is a piece of the script. For some reason the part of this script matches everything instead of the logic O...

texmeshtexas

Sorry about the v7.4 thing. the passphrase I'm referring to is the one used to create the key on the server. couldn't tell if you did implement that or just redacted it in your instructions. Did go reread an earlier response and do see it now. I figured the passphrase when generating the key files w...

texmeshtexas

well, package updates and regenerating keys did no good.
fyi, all this works fine in v6.49.6

texmeshtexas

Did you use a passphrase? I do. did exactly the same but get an error during import on the MT. I even did a sftp key download directly to the MT (using pw auth). what version of v7 are you running? Its starting to seem like its the ssh-keygen I'm going to run a package update on the server and regen...

texmeshtexas

ok. I regenerated a set of keys for V7 using ssh-keygen -m PEM -t rsa -f ~/.ssh/v7_id_rsa same problem, cannot import the private key using /user ssh-keys private import private-key-file=<file name> user=<user name> can also import the pub key just fine using /user ssh-keys import public-key-file=<f...

texmeshtexas

Yeah, the keys I'm using with v6 are generated with -m PEM and are rsa But I cannot import the private key in the V7 unit. get an error "Couldn't perform action - unable to load key file (wrong format or bad passphrase)" This is what the log looks like on the Mikrotik side Jul/23/2022 16:4...

texmeshtexas

But I'm not using the SSH server in RouterOS.
I'm just using the client connecting to an external server.
Works great in V6.
Something is wrong with the key imports on V7. Or the key requirements have changed and its not documented anywhere.

texmeshtexas

No one else having this issue?
The ssh-exe command requires key file loads to the user on the MT.

/system ssh-exe address=[:resolve $Servername] user=$Username command="<remote command>"

texmeshtexas

The client is the MT router(V6 or V7), the server is a RockyLinux server in the cloud.

texmeshtexas

ok. I moved the MT to a different network segment and its at least now talking to the server and I can login using password. Now I have a V6 and V7 side by side. I can login into the server with the V6 using the cert but not the V7. In the V6 when I goto /user ssh-keys private import. I have to load...

texmeshtexas

Do you have strong-crypto=yes enabled on the router? I'm not certain that this affects the SSH client as well, but let's get that established, just in case. RouterOS 7.3 removes DSA authentication. If your remote server requires it, there's your problem. This is a long-obsolete algorithm . As for t...

texmeshtexas

Here is the sshd_config file. Keep in mind this works perfectly with V6 boxes. I generated the key files with -PEM option # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was ...

texmeshtexas

yes, can ping the server.
and can SSH from another Tik in the office. But its on V6.

texmeshtexas

Has anyone had any luck with SSH in V7.3 or V7.4?
I've not had any luck with /system ssh address=<ip address> user=<user name>
I watch the logs on my remote SSH server and nothing even tries to connect.

Works great on V6.49.6

texmeshtexas

My problem is not the version of netinstall i'm trying to use but the HW does not even go into the right mode. I never get a link light on any ethernet port.

texmeshtexas

7.4RC2 not working either

texmeshtexas

I cannot even get the CCR2004-16G to netinstall. holding reset during boot never does anything. Tried on ports Eth1 and Eth16.
Simply does not work.

texmeshtexas

I use a rsa key generated on my remote server that I have my Mikrotik devices log into. I import the public/private RSA key pair as described in this wiki https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_public/private_key_login in V6 the key format must be PEM but in V7 I get an error tha...

texmeshtexas

I ordered a new CCR2004-16G-2S+PC and it arrived with V7.3 I upgraded to latest stable (V7.3.1) stuff just does not work right on this (sftp and firewall filtering on bridge with interface list). I want to downgrade to V6 but cannot even get Etherboot to work. I've followed all the procedures here h...

texmeshtexas

do not guess, fail because the delimiter is \r\n not only \n
open file with binary editor for see that

the correct syntax is
Code: Select all
delimiter="\r\n"

Sure enough, works with \r\n

thanks.

texmeshtexas

I'm trying to load the IP list from this site with a script I use to load many other lists. Show the script. https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt Two ideas: 1. You aren't handling the comment lines, beginning with "#" characters. 2. Your script assumes Unix ...

texmeshtexas

ok. I did open the file in Notepad++ with end of line char turned on. I see it. was not sure if Notepad++ inserted that since I'm on a Windows machine but guess not.
I'll give that a try.
Thank you!!

texmeshtexas

I'm trying to load the IP list from this site with a script I use to load many other lists. https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt The script gets to the point where its adding the IP to the list but it fails. I reproduced the issue on the command line. There is a global...

texmeshtexas

I'm guessing its because some sites are encoded with gzip. That is the case with that Feodo site.

texmeshtexas

anyone know why this list fails
$update url=https://feodotracker.abuse.ch/downloads ... mended.txt listname=FeodoC2 delimiter=("\n") timeout=90d

texmeshtexas

I looked also at Greensnow but could not find a cause why RouterOS have trouble with it. As soon as I use output=user then it gives an error. greensnow is fully included in firehol level2 anyway $update url=https://iplists.firehol.org/files/firehol_level2.netset listname=firehol_level2 delimiter=(&...

texmeshtexas

In addition to importing IP lists, I'm looking for a way to import a domain list, like https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt I've had pretty good luck using the domain in this type of filtering scheme In this case, I block 0000.com.my /ip firewall raw remove [find comment=&...

texmeshtexas

Tried to download greensnow $checkurl url=https://blocklist.greensnow.co/greensnow.txt cod=666.1;txt=invalid URL protocol its not a redirect and also fails the basic download via $update failure: closing connection: <error processing HTTP response> 85.236.154.77:443 (4) loads on a browser ok. Any id...

texmeshtexas

after putting the :global checkurl code at the top of the main script, I use this to download everything

:global testurl [$checkurl url=https://snort.org/downloads/ip-block-list]; $update url=[:pick $testurl 1] listname="Snort"

seems to work just fine.

texmeshtexas

that did the trick. Thanks for the adjustment @msatter !!

texmeshtexas

any idea why the script does not like
$update url=http://www.spamhaus.org/drop/drop.txt
Tried delimiter " ;" and ";" and variations to include "\n"

texmeshtexas

I'm seeing that lists like this one $update url=https://lists.blocklist.de/lists/all.txt listname=BlockList-DE delimiter=("\n") timeout=1d noerase=1
have some IPv6 entries.
would be nice is if the script put those entries on a corresponding IPv6 firewall address list. even same listname.

texmeshtexas

@Shumkov, @rextended and @smatter You are all incredible. This is a fantastic workaround for the 64K file limit. was actually able to load this very large list $update url=https://iplists.firehol.org/files/blocklist_net_ua.ipset listname=blocklist_net_ua delimiter=("\n") took a bit as the ...

texmeshtexas

I know this post is a little stale but I'm trying to import this list http://blacklists.co/download/all.txt Its seems to be too long to fit in a variable method like used in this post. The file is only a list of IPs, not in .rsc format. can get the fine onto MT but how to process and covert to an Ad...

texmeshtexas

Got this to work.
Had to specify a destination file name at the end of the sftp://<path>

/tool fetch url="sftp://$SecFTPservername/home/ssp/$Dfile.txt" user=$SecFTPusername password=$SecFTPpassword upload=yes
ascii=yes keep-result=yes mode=ftp src-path="$Dfile.txt"

texmeshtexas

have a RockyLinux server running OpenSSH 8.0 Trying to write a script to upload a file periodically. RoS is 6.49.6 This command works for another server but this one on this new server gives me trouble. The session establishes but the file transfer will not take place. > /tool fetch url="sftp:/...

texmeshtexas

This is the script I use to do this very thing. :log info "Automated Backup Started" :delay 2s :log info "Creating Backup Files. This may take several minutes." :local sysname [/system identity get name] :local textfilename :local backupfilename :local time [/system clock get tim...

texmeshtexas

Actually, I changed the :local newurl to :global newurl and script is working and downloading the list now!!!

Thanks for the help!

texmeshtexas

using 6.49.6 final full code # Automatically add Talos Blacklist to firewall address list # # # Please do not fetch more often than the listed update interval, for the # lists that are updated only as IANA allocations change, please do not fetch # more than once per day. # # by Phillip Stromberg # 2...

texmeshtexas

Ok. so I took that approach and generated a variable called newurl and tried to use that in the fetch to download the list in the end I get this https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/014/567/original/ip_filter.blf?X-Amz-Algorithm=AWS4-HMAC-SH A256&X-Amz-Cred...

texmeshtexas

ok. thanks for offering.

texmeshtexas

works from my web browser just fine. I think it has to do with the initial site has 301/302 redirects to https://snort.org/downloads/ip-block-list which then redirects to https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/014/564/original/ip_filter.blf?X-Amz-Algorithm=AWS4-H...

texmeshtexas

I found this script and haven been using it successfully to download bogon lists. However, I'm trying to use the same script to download a different list from Talos that is offered in same exact format but there is something about it that the fetch command does not like. the list is located here htt...

texmeshtexas

I would like the answer also.
Dont want servers coming in to get files, want the router to push the file to the server.

If you dont know the answer, stop posting, stop telling him its a dumb approach. its not.

texmeshtexas

Why are you not dropping everything on your WAN interface? If they are targeting a client behind NAT, then that client would have to have initiated the connection in order for the router to forward fragments. If you're using a routed setup then just drop all fragments at the edge, there's no good r...

texmeshtexas

Limiting the amount of traffic should help deter such attacks. I have attended several conferences with experts on this topic. I also create conference flyers myself to share this knowledge. You also need to use filters in the form of IP blacklists. This is not a guarantee of 100% protection, but i...

texmeshtexas

How come I never see any of this so called attack traffic ?? It must be my block all else rule at the end of input and forward chains......... thats right I am not a believer..... Vaccines yes, anything else not so much. If you dont have open ports, then sleep easy. Cant block fragmented packets in...

texmeshtexas

The other night our CCR1072 running 6.48.5 was brought to its knees by UDP Fragmentation DDoS attack. Fragmented packets where large byte packets but not sure that matters as far as the work the router has to do to reconstruct packets. Other than memory use. Got that mitigate but now I working on a ...

texmeshtexas

what does the tool>profile indicate?

Are you running with IPv4 Fasttrack Active, not Fast Path. We found that helps a lot.
In IP settings we enable Allow FastPath but due to fw rules, that does not get used.
Added fw filter rule on forward chain with conn state est,rel Action fastrack connection

texmeshtexas

Did you ever get a reply? Assuming not.

texmeshtexas

This does not work because reading the file to the variable is too large. Would work for much smaller file but the bogon list is now over 1300 entries and about 21KB in size.

texmeshtexas

Has anyone used the built in variable names in the DHCP Server script? lease-script (string; Default: "") Script that will be executed after lease is assigned or de-assigned. Internal "global" variables that can be used in the script: leaseBound - set to "1" if bound, o...

texmeshtexas

Just thought I would share this with the Mikrotik community. I've always been a proponent of keeping garbage traffic off our network in an effort to conserve our very expensive infrastructure resources. Besides doing the usual things like blocking Bogon IP traffic and block certain TCP/UDP ports, we...

texmeshtexas

I noticed that if I changed the IP in my dyndns.org account. This script would not correct it.
To fix that, I made these changes.

:local dyndnsForce
:local previousIP [resolve $hostname]

Now the script truly compares the routes current IP with that resolved by $hostname

texmeshtexas

Got the FTP working also. Thanks gang!!

texmeshtexas

Got this to work with the :execute method.
Thanks for the help!!
Not just have to figure out how to have one router login and ftp the file over.

texmeshtexas

Tried this. It actually works up to the point when the file size gets to about 4043B. The next write never happens.
Same problem, the variable starts to get too big to write to the file.
Need a true file append capability instead of a read, append, write approach.

texmeshtexas

What is interesting is if I do a :log info $exportcmds
The entire contents seem to be reflected in the log. Just seems to be a problem in the /file set command. Perhaps that is where the limitation exists.
I was hoping to avoid writing the file so many times to avoid disk wear.

texmeshtexas

I created this script which reads routes from the route table and creates a local Firewall Address List to use for filtering traffic. That part works just fine. I want to also create a file that can be imported to other MT routers to replicate the list in other routers. I build the entire command li...

texmeshtexas

If we reload the same RouterOS version onto the router and reboot will that reload the OS and clear these things?
We are running 6.46.8 (Latest long term)

texmeshtexas

This is an ISP network so not real chance of looking at PCs.
However the traffic is originating from one of the router interface IPs.
I suppose the destination IP could be miss categorized by Kentik.

texmeshtexas

We seem to have several routers that are infected with the bot RemcosRAT talking out to 192.169.69.26.
Our Netflow tool observed the communications. That is how we know.

Anyone else noticed this?
Trying to find a good way to see if the other routers are infected.

texmeshtexas

In our CCR1036 devices, DHCP does not always populate the ARP table. ARP table entries are critical in our setup. Or the ARP table entries are disappearing despite the longer timeout setting on the DHCP bridge. Actually, thinking more and more that the ARP entries get added to the ARP List but later...

texmeshtexas

Anyone find a solution to this. Have same problem with a CCR1072 on 6.46.7 advertisements print show nothing to upstream peer and the upstream is receiving the prefixes and traffic is flowing as expected. Strange thing is we have another CCR1072 peering to the same upstream on a different circuit an...

texmeshtexas

This is still a problem in 6.44.6
Its pretty sad that a simple packet sniff operation brings this big powerful router to its knees and crashes it so bad that it needs a power cycle to recover.

texmeshtexas

Ok, This is a strange one and hard to reproduce. Symptom: PPPoE authentications are failing against our off site Radius server. We can reboot the router and everything is fine again. During investigation and while the router was in the state, I looked to see if there was a more current version of Ro...

texmeshtexas

We have seen this also but not in a while. We reworked Firewall filter rules to get the CPU load down and it go more stable. Problem seems to be worse when the CPU load is highest. And using packet sniffer with Winbox drives the CPU up and can crash the system as well. Also it does seem more stable ...

texmeshtexas

Has anyone else experience the CCR1072 running 6.43.8 and the previous couple releases, becoming unstable and crashing (total hang up requiring a power cycle to recover) when running packetsniff? A big clue is the CPU goes to 100% when running packet sniff. Even a sniff that results in a rather smal...

texmeshtexas

6.42.7 BGP problem

we have 6.42.7 updated this morning.
I'm noticing that our BGP blackhole peer with our upstream is not sending withdrawal from the network list like it used to.

anyone else have issues with this?

texmeshtexas

was able to determine its not the number of /32 prefixes, it was the script that looks at my address list and puts those addresses on the prefix list https://forum.mikrotik.com/viewtopic.php?f=9&t=115521&p=680382#p680382 I was running the script every 10sec but it takes over 2min for the scr...

texmeshtexas

GamerXP,

Tried your script, seems to work well.
Any reason it takes 2.5min to run on a CCR1072.
Adding 120 prefixes from my address list.
Does that seem right?
I can only run it every 5 min.

Greg

texmeshtexas

we seem to get hit by DDoS attacks to a large number of IPs at the same time. Some are assigned IPs and many are not. In any case, we want the ability to black hole several hundred IPs at once. Our upstream allows upto 200 at the moment. However, with 100 or so /32 prefixes on the Mikrotik (CCR1072 ...

texmeshtexas

that first mangle rule /ip firewall> mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=ddos-source address-list-timeout=6h in-interface=NETIX log=no log-prefix="" sure seems to put alot o...

texmeshtexas

dst-nat is performed as the frame or packet enters the 'Tik, so the mangle rule assigns the packet-mark to the packet too late, after it has already passed the dst-nat chain. So a single rule like /interface bridge nat chain=dstnat action=dst-nat to-dst-mac-address=FF:FF:FF:FF:FF:FF mac-protocol=ip...

texmeshtexas

I've got a phone server on our network that uses the subnet broadcast address to send info to the phones on the local subnet. However, its sending the packet to desitination MAC of the gateway router (MT 2011) and not FF:FF:FF:FF:FF:FF so the phones never see it as the switches forward the frame onl...

texmeshtexas

It could be but I dont see the traffic going up much.
I have a bunch of rules to detect if the traffic goes up to an unusual level and captures stuff into files assuming its a DDOS attach.
It could be a low volume attach designed to drive a Mikrotik crazy, I suppose.

texmeshtexas

We have a CCR1072 running 6.40.5 on the edge of our network. This router typically has 2.5-3Gbps of traffic running through it. Many fw rules and does NAT for customers on private addressing. about 1-2 times per month it randomly jumps into a mode where the CPU goes from the normal 7-8% up to 60% ra...

texmeshtexas

We have a CCR1072 running 6.40.5 with an S+31DLC10D SFP module to communicate with our upstream proider. Our upstream started getting receive errors over the last couple of weeks and its really climbing the last few days. ON our side we see Tx Power -4.483dBm Rx Power -3.951dBM Our upstream sees thi...

texmeshtexas

I see the same issue on Dude 6.38.5 and 6.39 Suddenly stopped woring on Win 7 client. Anyone know wha the solution is? 6.39 ACCESS VIOLATION at: 6da6c975 eip=6da6c975 eflags=10293 edi=0 esi=6dae06cf ebp=28f09c esp=28f040 eax=408f9c0c ebx=fffffffe ecx=0 edx=0 log: backtrace: 6da6cf8c 4d03ec 4d0428 4d...

texmeshtexas

There seems to be an issue with SNTP getting synced in this version. I use a script to periodically set my server IPs to us.pool.ntp.org and time.nist.gov script works fine but router simply wont sync any more after upgrading from 6.30 to 6.32.2. Well, turns out I forgot to do the Routerboad fw upd...

texmeshtexas

There seems to be an issue with SNTP getting synced in this version.
I use a script to periodically set my server IPs to us.pool.ntp.org and time.nist.gov
script works fine but router simply wont sync any more after upgrading from 6.30 to 6.32.2.

texmeshtexas

All our CCR's locked up right at 7pm CDT. 3 x86 units did not, MT493 units did not.
This is very strange.

texmeshtexas

We are setting up Hotspot to authenticate the MAC of our CPEs. We do Not want users to get a splash page and “log in”. It needs to be automatic authentication to the Radius server. If the MAC is in the Radius server, then authentication should work. Sometimes the MAC/IP shows up on the Hosts list bu...

texmeshtexas

I believe this is part of the flow contol mechanism that was added to Ethernet interfaces in RouterOS 6.12+ Not a new concept in Ethernet but new to MT. I had this issue on one of my CCR1036 interfaces connected to a SAF backhaul. The SAF turns flow control on (no option to turn it off) and I had no...

texmeshtexas

Customer were complaining about download speeds being terrible. Mostly around 1-1.5Mbps. No matter what their queues are set to. I have a computer at the a tower site so I was easily able to verify this. Also AirControl tests to CPEs confirmed. I think this is related to 6.18 as I upgraded over the ...

texmeshtexas

I've found that this does not work. http://wiki.mikrotik.com/wiki/DoS_attack_protection /ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes /ip firewall filter add chain=SYN-Pro...

texmeshtexas

Each tower has a router that connects to one or more upstream towers and is the primary interface to the customers. There is one interface that is customer facing. the firewall filters are primarily to protect the infrastructure, not the customers. Most customers are on private addresses so we NAT a...

texmeshtexas

Its rule 10 that causes all the trouble. # nov/ 4/2013 21:10:13 by RouterOS 6.5 # Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Established input chain=input action=accept connection-state=established 1 ;;; Established forward chain=forward action=accept connection-state=established 2 ;;; Rela...

texmeshtexas

anyone having trouble with a Firewall filter rule like this add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid This absolutely creates much trouble with my customers traffic. Seems to kill all sorts of valid traffic including my AirControl traffic to ...

texmeshtexas

Just found a queue on the other side that was limiting the bandwidth.
Its good when I turn the queue off............how embarrassing!!.

texmeshtexas

Tried MTU of 1500 and 1460. No change. Testing to MT493AH. From the PC to the local MT493AH I get around 78-80Mbps each direction. To the remote MT493AH on the other side of the Motorola licensed MW link (100x100 full duplex) I get about 18x16Mbps. I know its not the link as the customer traffic run...

texmeshtexas

yeah, but it also does it on the Motorola Licensed 100x100 full duplex link.
And I know the link supports >15-18Mbps data because at peak times, I see around 25-30Mbps customer traffic.

texmeshtexas

I use MT routers in various places in my networks. In areas where they are just routers (no wireless cards), when I run bandwidth test between two 493AH routers (both on V4.5) that are connected to the same HP switch, the speeds look great. But in 3 different places when I run across either a Ubnt l...

texmeshtexas

Where you ever able to get the Shrewsoft VPN client to connect to ROS?
I've not very knowledgeable about IPsec setups so I need to know if it is possible.
If it does work, are there step-by-step directions somewhere?

texmeshtexas

I'm applying firewall rules to a bridge and all seems to work well. Can anyone tell me what exactly the Connections tracking window is telling me. My default TCP Established Timeout is set to 1d 00:00:00. That seems too long. I just want to see how many active connections there are. What should I us...

texmeshtexas

Put v4.6 on my 750 and it would no longer talk to my Motorola PTP800.
Very strange as it would talk to my Ligowave device and my PC, just not the PTP800.
Had to abort 4.6 to get things working again.

texmeshtexas

Well, maybe I asked the wrong question.
Does Mikrotik support GPS timing when configured as an AP?

If I have multiple AP's on a single tower, will this help reduce interference between them?

texmeshtexas

I need to put 3 AP's on a tower with R52N running 2x2.
Will Mikrotik allow me to GPS sync to avoid interference between APs?

If so can someone tell me what USB based GPS unit I should use with my 433UAH?

texmeshtexas

I'm running Dude 3.1. When I test the notifications I get the proper syslog and event log entries but not all notifications are sent by email. I test by taking 5 devices down at the same time but I only get 2-3 email alerts and not all email addresses listed get the alert. Its a bit random as to who...

texmeshtexas

Please add ability for syslog server to receive TCP syslog messages.
Some network appliances, such as Mobotix cameras, only send syslog messages using TCP.

texmeshtexas

Does anyone now how to set up a SPI firewall feature on RouterOS 3.17?

Search found 151 matches