MikroTik

Cha0s

Wait, torrent wasn't a joke?

Torrent is an essential feature of every router!
DNS on the other hand...

Cha0s

At the moment there is no fully automated method in ROS to switch from a bad uplink (bad as in slight packet loss or increased latency somewhere between you and the destination - but still functional as far as ROS is concerned) to a backup/good one. You either have to resort to cumbersome scripts a...

Cha0s

I don't know (or care) about how LTE handles loss, etc, but I think we've got offtopic comparing this to LTE. LTE is just one type of Internet access and is irrelevant to the topic at hand IMHO. I can see this technology having significant benefits even if your uplinks are fiber based with 99.999% u...

Cha0s

I did Anav. One of the first hits was NordVPN, but I see it doesn't support MikroTik anymore. Hence I'm asking here. Since v6.45 MikroTik can connect to NordVPN without problems. using IKEv2. https://nordvpn.com/tutorials/mikrotik/ikev2/ https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_...

Cha0s

Cha0s

Yes, ~45 degrees seems to be the norm for this device.

graph.php.png

Here's a comparison between RB3011 and and RB4011 that replaced it around a month ago.

Cha0s

Several days passed, still no replies and not a single email about this issue. Is the RB4011 5GHz issue resolved? The problem still exists. For me it took about 29 days on a brand new RB4011, before it occurred. Since then the wifi gets disabled (stuck in "initializing") in less than a day for 3 da...

Cha0s

Mikrotik doesn't block Google Translate, or any other service for that matter. All RouterOS does, is route packets from one network to another, according to however you configure the device to do so. It doesn't take it on itself to decide whether you should be able to access a webservice or not. If ...

Cha0s

Don't touch my WinBox, it's one of the best tools invented by mankind, and it's perfect as it is now. It's like trying to reform hammer, sure you can come up with something else that's not bad either, but it still won't be good replacement for the simple and reliable tool in all cases. Native WinBo...

Cha0s

*) system - accept only valid string for "name" parameter in "disk" menu (CVE-2019-15055);

I guess asking for more info on that is pointless until you provide an update for stable/long-term channels, right?

Cha0s

Yes, I am aware of that, but how do the others do it, at train stations, airports ... ? a few weeks ago I set up a WLAN connection at the airport and I couldn't download any files. So there has to be a solution. I doubt they were able to block files download over an HTTPS connection. Only whole dom...

Cha0s

Strangely enough, URL Block also works for HTTPS pages. This works here, for example: ^.+(youtube.com|facebook.com).*$ Domain block (not URL block) works because the domain is visible (unencrypted) during the TLS session setup between the browser and the server. After that, you cannot see anything ...

Cha0s

This L7 Regexp does not work anymore since update: \.(exe|dmg|cab|msi|flv|mp2|mp3|m4a|mp4|torrent)($|\?) I used this to block file download. I also don't know which MikroTik version I had before. I think it was the 6.43. You do understand that this is useless in an ever growing https world, right?

Cha0s

Probably something wrong on your side. An antivirus messing up with the downloads maybe?

All links work fine on my end.

Cha0s

I've got a few of the non wifi RB4011 models and I have no issues. In fact I found that RB4011 was the only model that I could saturate the uplink with a single connection over IPsec, while others couldn't go much higher than 150Mbps (and that with multiple connections only). Granted, my configurati...

Cha0s

Almost two years have passed, and absolutely nothing has changed.

CCRs still cannot route (not drop) a moderate flood of SYN packets.

Cha0s

cpu spikes
Huh?..

Do you want to elaborate more?

Cha0s

Also, Winbox on Linux/Wine is definitely heavier/slower than on windows. Each screen refresh causes cpu spikes when having multiple windows open.
On windows there is no such cpu usage no matter how many windows I have open in winbox.

Cha0s

Last Link Up/Down Time botched. It started happening to me (951G-2HnD, 941-2nD) on the latest stable ROS 6.45.1 / WinBox 3.19. Ethernet and ppp links. WinBox Terminal - correct: last-link-down-time=jul/08/2019 12:31:21 WinBox Interface List - wrong: Last Link Down Time: Jul/14/2019 09:44:52 Today i...

Cha0s

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused. While you are at it, will you fix the interfaces last up/down times on winbox that are in the future?

Cha0s

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

Cha0s

You are looking for ECMP - Equal Cost Multipath. https://wiki.mikrotik.com/wiki/Manual:BGP_Load_Balancing_with_two_interfaces ECMP by default (route cache=on), will load balance per connection and not per packet. By disabling route cache (in IP > Settings) then ECMP load balances per packet on all a...

Cha0s

2 Mikrotik Team Do you confirm some troubles with GRE interfaces + IPSec (transport) ? What we have to do in that case? Maybe there is something special with update? For example: We have to update passive sites first to 6.45.1 and after main router to 6.45.1 Or another way? Thanks! I have IPsec tun...

Cha0s

I agree with pe1chl. phpBB can also send mails using the native mail() function of PHP, which by default will send mails using sendmail executable to localhost. This can be blazing fast since it doesn't even care if the local MTA is loaded or not or even running at all. It writes directly to the fil...

Cha0s

i upgrade my RB433AH after that...i couldn't access with current user and password and with admin???? . My observation is that after a reboot, the first login attempt fails ... subsequent logins are successful. This behavior has been reproducible after every reboot, of the single device I'm testing...

Cha0s

NETMAP needed.

not nat.

You mean NPT, and both NAT66 and NPT (or netmap) are types of NAT.

Cha0s

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

+1

Cha0s

If you have many custom settings, then you should most definitely not use quickset. If you can still sensibly change settings using quick set, then ... you don't have that many settings after all. I'm sorry but reset is not a solution Then you shouldn't use Quickset. Quickset is only for initial se...

Cha0s

That wrong time is a "known problem" that was introduced several versions ago, not with this version. It likely is already on the list of things to fix. Also I believe it's a winbox bug and not a ROS bug. CLI shows the correct times. IIRC deleting the session on winbox also shows the correct times ...

Cha0s

LtAP mini Kit has two SIM slots. Is it possible you are using the wrong SIM slot?

They way those slots are it's not always clear weather you've inserted the SIM on slot 1 or slot 2 (they call it up/down in System>Routerboard>SIM menu).

Cha0s

What does the browser's web developer's tools console shows when it cannot load the iframe? If the iframe url can load when accessed directly, then it's almost certain that it is not a networking/MTU/MSS issue. Is it possible that the client's browser is messed up (or some other software is messing ...

Cha0s

MikroTik has no L3 switch that can do wirespeed routing. Can can do L3 stuff on MikroTik switches, but the performance will be way lower than 10Gbit (maybe even lower than 1Gbit) since all those functions are done on the CPU and not on the switch chips. The CCR line are not switches but routers. Tha...

Cha0s

Just got an RB4011iGS+RM. It has 512MB flash, so I might have been interested, but the online documentation states that it's only available for MIPS, TILE and PowerPC. Too bad. RB4011 perfectly supports multiple partitions. I am using it on multiple RB4011s. AFAIK as long as you have >=64MB of flas...

Cha0s

If you double click on the source address it gets copied to the Src. Address Filter field.
Same goes for Destination address.

No the best solution, but it's better than nothing.

Cha0s

For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact". After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.). Parse the config, check if anything changed against last retrieved config. If a change is ...

Cha0s

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk? Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc? Usually a configuration management system does this for you. Unimus does this out-of-the box and you c...

Cha0s

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated. In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostnam...

Cha0s

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Cha0s

+1 for TACACS+ support

Cha0s

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

When will it be fixed? This has been reported for many releases by now.

Cha0s

I confirm the problem.

Cha0s

Check this MUM presentation https://mum.mikrotik.com/presentations/ ... _Nikos.pdf

Cha0s

On RB951 and similar boards, I don't expect the best performance and I don't think PHP should be supported at all on these models due to the low power CPU and resources. But for the more capable models, like RB3011, RB4011, CHR and CCR-series, it could be a nice addition. Yeah, but that ain't gonna...

Cha0s

Legal limits are about EIRP. EIRP is not Tx power at transmitter's RF connector, it's power at antenna perimeter. And that value is affected by antenna gain. Which is not how most of WiFi users (and, sadly, WISPs) understood things ... I remember attending a Netgear "seminar" back in 2005-2006ish a...

Cha0s

PHP Support for webpages. So, that we can make advanced webpages without visible scripts (JavaScript is visible to the user, PHP scripts are not). I know MikroTik's webserver is meant to provide the basics, but you don't always have the space and budget to place an external webserver (and no.... a ...

Cha0s

In year 2019 - this RB belongs to the trash

Besides suggesting putting it in a landfill, polluting the environment for no good reason, do you have anything on-topic to suggest?
Like for example, what is the value of C78?

Cha0s

Those are C67 and C68 and their value is: 560μF 6.3V 105°C

While we are at it, does anyone know the value of C78?
It's right behind the DC barrel connector and it's an SMD one.

ima_82b5a40.jpeg

Cha0s

AFAIK there is no such option.

On the other hand, MikroTik is a router, not a NAS device. Don't use it like that.

Cha0s

That (voip) explains the high packet rate but low bandwidth I saw on your screenshots. Unless you use NAT, you don't need the SIP direct media helper (and I think it doesn't even get involved in forwarded traffic when there is no NAT). Also, connection tracking in general, with lots of connections a...

Cha0s

Same with the web interface.

Cha0s

+1 by me as well.

Cha0s

You cannot bond at the CHR level. Right now you are bonding two virtual NICs that connect to a Virtual Switch. Not Nexus. You should do the bonding at the ESXi level. But from there I don't know how you could get more that 10Gbps on the CHR. I've read some posts that the VMXNET3 driver doesn't reall...

Cha0s

Upgrading from 2.8 to 2.9 on a CSS106-5G-1S causes severe traffic drop between 1G ports and 100Mbit ports. It's random from 0 to 40Mbps. Reverting back to 2.8 traffic increased back to steady 100Mbps. Are there any errors in interface stats when using v2.8 or v2.9? No errors at all on any port.

Cha0s

Upgrading from 2.8 to 2.9 on a CSS106-5G-1S causes severe traffic drop between 1G ports and 100Mbit ports. It's random from 0 to 40Mbps.
Reverting back to 2.8 traffic increased back to steady 100Mbps.

Cha0s

Same here

Cha0s

I did as much reading as I could both with the sparse supplied docs and what was online before and during my efforts!! I have winbox v3.18, I fail to see a safe mode. FWIW, been doing router stuff etc. since 1989 but I am not an "IT Professional" Everything about RouterOS is documented here: https:...

Cha0s

Maybe something link this (to accommodate for the time requirements). /ip firewall nat add chain=dstnat src-address=192.168.1.116 time=22h-7h,sun,mon,tue,wed,thu,fri,sat action=dst-nat to-addresses=192.168.1.20 Also, this thread needs to be moved to some other category. It has nothing to do with wir...

Cha0s

You can add all the prefixes (/22, /23, /24) in Routing > BGP > Networks. And then use separate filters on each peer to filter out which of those prefixes will be announced to each BGP peer. I suggest you first create the filters, apply them to the BGP peers and then add the more specific prefixes t...

Cha0s

3. Cannot find my router in Netinstall. Ethernet cable to Ether1 slot from my laptop, no other network connection and strictly follow instruction.

Try connecting to port 12 instead of port1.
viewtopic.php?p=399474#p399474

Cha0s

Thanks! That resolved the issue!

Cha0s

Just to clarify (if anyone else wants/can reproduce this), the config regarding the virtual wlan interfaces was, 1 virtual wlan interface per physical wlan (one for 2.4GHz and one for 5GHz) both added to a bridge.

Cha0s

Symbol: ` in WLAN SSID brake all wlan interfaces. Or even not a symbol, but a virtual WLAN. When I create a virtual WLAN and reboot hap ac^2, I don't see all interfaces and export doesn't work in the console. DimaFIX - Please send supout.rif file from your router to support@mikrotik.com. If I add s...

Cha0s

Symbol: ` in WLAN SSID brake all wlan interfaces. Or even not a symbol, but a virtual WLAN. When I create a virtual WLAN and reboot hap ac^2, I don't see all interfaces and export doesn't work in the console. DimaFIX - Please send supout.rif file from your router to support@mikrotik.com. If I add s...

Cha0s

The column sorting is done in the browser with Javascript, not in the database. I am just saying that sorting, the way it works now, it's pretty much useless on fields that do not contain plain numbers. If I want to sort by memory or cpu frequency the results are all over the place. Also if that's n...

Cha0s

Very nice!

Column sorting is a bit of a mess (nothing is sorted properly, except for columns with plain numbers), but we can live with it

Cha0s

How long does RouterOS take to shut down typically? I cannot find any indication of the progress once shutdown has been initiated? How vital it is to always shut down a unit properly (referring to SXT-LTE)

It takes just a few seconds. You don't really need to shut it down before removing power.

Cha0s

The problem occurred on both updated devices with the new cloud service and old devices with the old cloud service.

It just started to work the next day. But only after it caused havoc on vpns and other stuff that were based on ddns.

Cha0s

Yes, I just checked from other locations/ISPs too and it won't update.

Cha0s

After a long lasting power failure at the power company, when the router came back up it will not update its ddns via IP>Cloud. It is stuck on 'updating...' for well over two hours and does not actually ever update its ddns. Screenshot_8.png The router is an hAP ac^2 running v6.43.4 The router can r...

Cha0s

For SSL/TLS enabled websites, you definitely cannot inject advertisements (or anything else for that matter).
Regardless of which hotspot vendor you use (thankfully it's a protocol security measure, not a vendor limitation).

Cha0s

those use routeros, https://lorrier.com/ The LoRaWAN part is implemented with BeagleBones using the SPI bus. They use ROS only for the networking part, behind the BeagleBones. The gateway is based on iC880a LoRaWAN™ concentrator by IMST which uses Semtech SX1301 base band processor designed for use...

Cha0s

It just happened to me on one of my SSTP VPNs with version 6.34.4.

I get the same error in the logs. 'nonce not matching'

Cha0s

Try reinstalling the OS by doing a Netinstall.
https://wiki.mikrotik.com/wiki/Manual:Netinstall

Cha0s

*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);

Thanks for including this fix.
It works ok now

Cha0s

So now my problem would be whether I need a better model.

No, you don't need a better model. You need to configure FastTrack and you will able to reach 1Gbps.

Cha0s

Hello, Based on your setup, you may get less than gig. If you look at the gr3 specs, you'll see that with filters and bridges, throughput goes down depending on packet size. Regards Sent from Tapatalk Is there anything I can do to get the full speed on RB750Gr3? I am keeping the minimum setting as ...

Cha0s

Hi, Which is the best current configuration to the Mikrotik integration with FastNetMon? I'm using those: * Cache entries = 128k * Active Flow Timeout = 00:01:00 * Inactive Flow Timeout = 00:01:00 Netflow version = 9 Template refresh = 30 Template timeout = 30 FastNetMon is receiving data correctly...

Cha0s

After upgrading to 6.43.2 from 6.42.7 you can no longer have multiple IPsec peers to the same destination IP but with different source addresses. This regression is said to be fixed in 6.44beta14. Please check the change log in the post here . And I'd expect this kind fix to be merged to 6.42.x lat...

Cha0s

After upgrading to 6.43.2 from 6.42.7 you can no longer have multiple IPsec peers to the same destination IP but with different source addresses. Screenshot_17.png This worked fine on 6.42.7. What's the reasoning behind this restriction? I need multiple peers to the same destination but using differ...

Cha0s

Sure, So next time you login to your web-banking do not check for TLS. Just go blindly with http. Don't even check if you typed the correct domain or weather you got hijacked and redirected to another domain. What's the point anyway? Too many parties involved! :facepalm: People, it's 2018. Not 1996....

Cha0s

Why shame? Because there is no excuse anymore for any service to run without TLS. Certificates are free (if not dirt cheap for those that don't - for whatever reason - like Let's Encrypt). Why should any entity between the router and the update server even need to know what is being downloaded? TLS...

Cha0s

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" d...

Cha0s

There is no way to present your message saying that the page is blocked. Besides encryption, the point of https is authenticity. If you could modify what the user could see then anyone could modify any https page leading to terrible security issues. So, no. Unless you create your own CA and install ...

Cha0s

And another interesting thread on the subject viewtopic.php?t=110925

Cha0s

+1
I've requested this back in 2014.
viewtopic.php?f=19&t=90564

Cha0s

So, us, professional users of ROS, that use it every day, should have to get stupid warnings, because of dummy users that mess up their firewall and never even bother to login to their routers ever again. Who exactly will this message be for then? Please. Stop trying to convert RouterOS to a 'DummyO...

Cha0s

Everything outside default protection rules. It should be only warning, nothing else.

So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?

Cha0s

Thanks!

Cha0s

Stop the use of the bundle package

+1

I don't see any benefit with the bundle package. It only confuses people.

Cha0s

I have set up automated exports and the output is saved in version control system, so I know what exactly changed and when.

Can you give more info on your setup/workflow?
I am interested in implementing something similar.

Thanks.

Cha0s

I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol: I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates. Another example is Dropbox. It upgrades whenever it feels like it. No notification, no...

Cha0s

I vote NO NTFS, and I also vote to remove SMB, or at least make it a package that I can remove. Better yet, move all of the "home user" features into a separate package so that us enterprise customers don't have to have that type of stuff in our routers. I vote +1 for making all SOHO features a sep...

Cha0s

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ? I think that I wouldn't want my 160.000€ car to stop whenever it feels like it s...

Cha0s

Not true.

There is a software implementation that works on Linux.
https://sflow.net/about.php

Cha0s

Also, after the netinstall, I configured everything manually, I didn't restore the configuration from a backup just to make sure that the 'problem' was not restored with it. But it didn't make any difference.

Cha0s

I still haven't found any solution. I did a netinstall and the problem persists. As a temporary workaround I've set up a VM with MikroTik which acts as the router for IPv6. So I have a static route from the CCRs to that VM via a physical interface instead of the VLAN interfaces, and then I have the ...

Cha0s

Well,

You are the expert. Why don't you explain it to us then?

Cha0s

There's also an "Alerts" section in DHCP Server which can monitor for rogue DHCP servers and alert you. https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Alerts It also allows for "On Alert" scripting which could be used to disable the offending ports or apply firewall rules. There's a relevant p...

Cha0s

Have you tried TP-Link or D-Link?

I am sure they are much easier with all their wizards whistles and bells.

If you find RouterOS hard, then it's probably not for you.

Cha0s

If your RouterOS version is between 6.29 and 6.42 you might be able to get a list of all users/passwords using this exploit: https://github.com/BigNerd95/WinboxExploit

Cha0s

This has been asked many times since the new routerboot firmware versioning but it has been ignored.

Cha0s

I noticed that interface "last link up/down times" are in the future.

interface up-down wrong time.png

Cha0s

Sigh.... I give up.

Cha0s

August 20?

So 6.42.7 does NOT contain a fix? Because the build time is Aug/17/2018 09:48:44.

Cha0s

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this? https://i.imgur.com/dN9k4D4.png This is bad. I check for updates every day on this forum. The day this release was posted, I read the full changelog and there was nothing of conce...

Cha0s

The bridge does what it says. It bridges multiple ports/interfaces together. It's pretty much a "software switch". https://en.wikipedia.org/wiki/Bridging_(networking) In this instance it will take all interfaces (except the first one) and make them act as a switch so all of them can communicate with...

Cha0s

Another way would be to create an address list, add there the domains you want to block and then create a drop filter rule using that address list as the destination. I believe this is the less resource hungry solution. No need to open any packet to check anything (TLS or otherwise), and you are act...

Cha0s

Hi, You just need to write Destination-nat for those servers with different port number and specify the DNS records in your ip/dns/static for those two servers then you can open it from outside with one public ip address. (You just need to know about destination nat and PAT-port address translation...

Cha0s

In my experience, if you upgrade from (much) older versions using System > Packages > 'Check for updates' menu (ie: not manually uploading the packages to the router), it will first upgrade to an intermediate version and then you have to perform another upgrade to get to the latest version. I haven'...

Cha0s

Yeap, I've seen this too.

But I think it is solved by 6.42.5. I haven't seen it for a while now.

Cha0s

Currently is easy to make a brute force search for mikrotik devices using the cloud service as the names follow an simple pattern and is just an DNS query. The serial number consists of 12 hexadecimal characters. I wouldn't call making 184884258895036416 (12^16) dns lookups 'easy'. It's easier to j...

Cha0s

To go to a HTTPS page you most of the time need a initiate that on http. Those days are almost gone. HSTS Plus, all major browsers have their own predefined list of major websites that support https and will connect only to https even if you only type the domain in the address bar. https://hstsprel...

Cha0s

Yes we have to start somewhere. How about users start to read how networks work and don't make stupid mistakes like disabling a firewall? Where to start.... You talk about doing MITM essentially to modify forwarded traffic. That's preposterous! And what about TLS? Everything moves to TLS. Doing it o...

Cha0s

Try downgrading to an older version by manually uploading only the packages you want. After uploading you hit the 'downgrade' button on the Systems > Packages window It should downgrade and remove all other packages. After that, you can then use System > Packages > Check for updates to upgrade to th...

Cha0s

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version. If ignored then after two weeks the router only functions when you are initiating an update. A...

Cha0s

So far I've narrowed down this to VLANs. Using IPv6 on normal interfaces works without any packet lost. Using IPv6 on VLAN interfaces (under an sfp+ interface - if it somehow makes any difference) will cause random packet loss to random IPs. It's like the neighbor solicitation/advertisement packets ...

Cha0s

It's monstrous! You're kidding, right? I have never seen people that you say "You have shit on pants" and he said "they are new and clean." I just said about the manufacturer's oversight, and you're proving to me that everything is perfectly well thought out. Hilarious. (On salary in Mikrotik?) In ...

Cha0s

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?

Same here. I only got an e-mail on March 29th about the www vulnerability. Never for the winbox vulnerability.

Cha0s

By default ignore-as-path-len it's enable in instance.

ignore-as-path length is not enabled by default.

Cha0s

I feel this whole post if out of context.

Post your routing filters (using proper export: /routing filters export - not just print).

And describe your problem more accurately.
What do you expect to happen, and what actually happens.

Cha0s

I agree. +1

Cha0s

[IP] [data_direction] [pps_as_string] [action]

Cha0s

Hi I just try to run ./notify_about_attack.sh and I get the fallowing error on "fastnetmon_mikrotik.php"; MikroTik's API Integration for FastNetMon - Ver: 1.0 missing argumentsphp fastnetmon_mikrotik.php [IP] [data_direction] [pps_as_string] [action] Any idea? You cannot run this script without the...

Cha0s

Adding min/max values as shown in the screenshot-mockup on post #9 is easy in principle. They already have all the points drawn in the chart along with each point's value (otherwise we couldn't click on the chart and get each point's value number), so they just need to take the lowest and the highes...

Cha0s

It's not a matter of which window. Every window that has a chart is the same. You essentially have minimum and maximum values for all the points in the chart (not points not currently shown in the chart). It's a matter of what you view (range) in the graph at any given moment. That's the data from w...

Cha0s

Firstly, there is no real reason for "min" value as it is always zero. Of course there is a reason for min value. It's not always zero. You are not thinking this through. If for example you have constant traffic between 2 and 10 mbps, then the min value for that traffic at that time will not be zer...

Cha0s

When you add a new rule it is added at the bottom by default, when you do not want it there (because it has to be processed somewhere between the existing rules) you can move it, but that move will not make the software re-process the filters, as it should. Disable/enable does that. This is the sou...

Cha0s

we need more than one number, we need a few numbers (at least two - at the bottom and at the top)image_bt_num.png

I agree that having the min-max values shown at all times is useful .

Cha0s

On Win7 x64 the problems exist.

Cha0s

Yeah, the bug is present in many places. IPv6 static routes with link-local gateways will cause 100% cpu and disconnect. Editing and EoIP tunnel and setting the MTU (when not already set) will cause 100% cpu and disconnect. Copying an SSTP Client interface will cause 100% cpu and disconnect. Copying...

Cha0s

Any xDSL modem that can work in bridge mode, can work with MikroTik.

AFAIK USB modems are not supported.

Cha0s

Netinstall for Linux, or documentation of the netinstall process so it can be programmed for Linux by someone else.

+1

Also it would be nice if a MikroTik installation itself can be a netinstall server for another RouterBoard.

Cha0s

Since v3.15 when opening a static IPv6 route that has a link-local gateway causes 100% cpu usage on winbox using Win7 x64. Have the same symptom here in the CAPsMAN Channel-List. Sometimes when copying channel and editing either frequency name or other items for that channel, the dialog freezes and...

Cha0s

Set up a MikroTik (CHR or x86) on a datacenter somewhere, then create tunnels from the location to the datacenter. 1 tunnel per uplink. Then route all the traffic via the tunnels and eventually via the gateway of the datacenter router. If uplink1 is down, then the traffic can failover via uplink2. T...

Cha0s

Metarouter does not work on RB850Gx2.
The menu is actually there in Winbox, but it doesn't work? Never tried it since I don't need it at that site.

It doesn't work.

Cha0s

I should have said that I'd like to use MetaROUTER, which I think is not possible on arm yet? Does it work on PPC?

You can't always have it all I suppose.

Metarouter does not work on RB850Gx2.

Cha0s

I highly doubt that none of them work. You are doing something wrong.

Cha0s

Is there any way to make a COMPLETE reset of the router to a REAL factory reset? For a complete re-install of the OS (ie: format) you need to do a netinstall. https://wiki.mikrotik.com/wiki/Manual:Netinstall For a full configuration reset (without re-installing the OS - but it will reset everything...

Cha0s

So that could be an ND issue... Check what is happening in IPv6->Neighbors (interestingly, the menus "ND" and "Neighbors" are swapped in IPv6) ND is disabled. Neighbors doesn't show anything useful apart from status 'failed' when an IP is not reachable. At the same time, the same exact configuratio...

Cha0s

When you say "clients cannot ping the router", do you mean clients at your local network or clients elsewhere on the internet?

I mean local clients (servers) behind the router cannot ping the router (gateway).
They can ping each other (those under the same prefix of course).

Cha0s

For example, DHCPv6 issue could lead to DHCPv6 service crash (can be seen only by MikroTik staff) and IPv6 services could not work or work incorrectly.

Could this, by any remote chance, be related to the issue described here?
DHCP is installed/enabled but not used at all on both ipv4/ipv6.

Cha0s

I would welcome when the winbox-router connection is a little more patient in cases of network loss. With brief network interrups, like an intermediate router rebooting or an access point re-associating or a PPPoE connection being re-made, the open winbox windows all fall back to the connection scr...

Cha0s

This had me scratching my head for a while. Although you might re-order the rules, the new order is not active. However, if you 'enable' a rule in a filter chain (even if it is already 'enabled') it causes the chain to be flushed and re-applied in the correct (new) order. Maybe Mikrotik can add thi...

Cha0s

I have a setup in a datacenter running 2 CCR1036 in an active/standby setup. Both CCRs have identical configuration and use VRRP for the failover. This setup has been in use for over 4 years (an I suspect the problem I will describe is that old too) Everything works perfectly fine except IPv6. When ...

Cha0s

such as when you need to force some domain resolve into specific IP?

Ever heard of hosts file?

Cha0s

Since v3.15 when opening a static IPv6 route that has a link-local gateway causes 100% cpu usage on winbox using Win7 x64. With a global address as gateway there is not cpu usage. In the meantime everything stops updating in Winbox (all other windows don't show new info) If I leave it open for over ...

Cha0s

And at last.... Before 6.42.1-4, any of hEX has more than 4mb... anyway

I agree. On my devices that have 16MB flash, they have ~7.5MiB free, not 4.8MiB.

Cha0s

/routing bgp advertisements print _PEER_NAME_ detail

You will get output like:

 peer="_PEER_NAME_" prefix=x.x.x.x/y nexthop=.z.z.z.z origin=igp communities=1234:666

Or you can use winbox.
Routing > BGP > Advertisements, and there select the column BGP Communities.

Cha0s

I have to admit that Nv2 has been improved, but are you going to implement a madder TDMA protocol? I have co-workers that say "If you have 100Mbps on an AP and 100 clients connected, with TDMA you can give 100Mbps to them all simultaneously, slowing latency", I know that this is pure theory, but in...

Cha0s

Did that Groove have the lost space issue?

Obviously. Why would I try it on a device that has no problem?

Cha0s

Indeed the patch does not work! I tried it on a 2-partition CCR1009 (before reading other remarks). First copied partition containing 6.42.1, updated it to 6.42.5 which resulted in lost space issue as usual, then uploaded patch and rebooted, router came back but it has switched active partition bac...

Cha0s

Guys, be careful with this patch!!! I uploaded it to a test CCR1016 and it doesn't come up after reboot! Test it first! I tested it on a Groove and worked. I haven't tried it on any other device. @Mikrotik: will this patch be included automatically on next ROS updates so we can avoid the extra rebo...

Cha0s

Cha0s - Is it possible that you added EoIP tunnels from old Winbox version? I created the tunnels via CLI. Upgrading or rebooting the router loses the hostname in the remote address field and leaves an old/previously resolved IP. Never mind. It was my mistake. :oops: A combination of a forgotten cu...

Cha0s

Thank you very much for the reports about issues with space, next RouterOS version will fix the issue. Meanwhile this package can be used to clear space on your router, https://www.mikrotik.com/download/share/fix_space.npk - upload package to your router; - run /system reboot It works on every boar...

Cha0s

All major hypervisors support ova templates I was talking about providers. Hypevisors may support a million things. That doesn't mean that all features are exposed to end users by cloud providers. Cloud providers have very restrictive policies as to what you can run and how you can install new OSes...

Cha0s

Anyway, if normis or whoever from mikrotik by any chance read this, why there can't be CHR ISO installer? Why is there always another format desired? I am very happy that OVA was added and I installed my Dude test VM from there. (only to play with it, I don't really use it in production) Because wh...

Cha0s

Cha0s - Is it possible that you added EoIP tunnels from old Winbox version?

I created the tunnels via CLI. Upgrading or rebooting the router loses the hostname in the remote address field and leaves an old/previously resolved IP.

Cha0s

Again no fix for the diskspace loss when upgrading from 6.42.1 on CCR? (and maybe others) Why are these releases rushed out when known showstopping bugs exist? I can confirm the problem. pe1chl, didn't you get the memo? Kid control fixes are WAY more important than (eventually) "bricking" our route...

Cha0s

After rebooting, all EoIP tunnels that used dns hostname for remote address were replaced with IPs. I have to manually edit all EoIP tunnels and set the hostnames again. That happened on a couple of RB2011 and a couple of hAP AC^2. On various x86 installations the issue didn't occur. This problem di...

Cha0s

Again no fix for the diskspace loss when upgrading from 6.42.1 on CCR? (and maybe others) Why are these releases rushed out when known showstopping bugs exist? I can confirm the problem. pe1chl, didn't you get the memo? Kid control fixes are WAY more important than (eventually) "bricking" our route...

Cha0s

It's not my method, I just suggested how to make TomjNorthIdaho's rules shorter.

English suck. I didn't mean you as in singular. I meant you as in plural. You and Tom.

I am not gonna argue with you. Believe what you want about CF.

Cha0s

But chr is installable from ISO

Since when?
Where is it?

Screenshot_6.png

Cha0s

Where's the problem exactly? That's standard behavior in IPv6.
https://en.wikipedia.org/wiki/Link-local_address

If you don't want IPv6, disable the IPv6 package and reboot your router. You cannot not have link-local addresses. That's how the protocol works.

Cha0s

You still block CloudFlare and tons of other websites. Well, https cert on this host covers "ssl894059.cloudflaressl.com", "toknowall.com" and "*.toknowall.com" - doesn't look like there are tons of other websites :) Which means absolutely nothing. CF is not a static thing. It is a dynamic system t...

Cha0s

/ip firewall address-list add list=toknowall.com address=toknowall.com filter add chain=forward comment="VPNfilter toknowall.com" \ dst-address-list=toknowall.com action=drop log=yes What difference does this make? You still block CloudFlare and tons of other websites. These are just bad suggestion...

Cha0s

is this still in the feature request queue ?

There is no "feature request queue".
We just ask for stuff here, and MikroTik usually just implements stuff that nobody asked or cares about (eg: Kids Control, Detect Internet, etc).

Cha0s

I've been using SSTP, OVPN and every other vpn/tunnel that MikroTik supports for well over 10 years. I've never had any issues like the one you describe.

First upgrade to the latest version (if not already) and if the problem persists create a supout and send it to support@mikrotik.com

Cha0s

rb952ui-5ac2nD hap lite

That refers to the remote side ROS version.

Cha0s

RouterOS is based on the Linux kernel. And that's just about it. Pretty much everything else around the kernel (shell, services, etc) are closed source and written by MikroTik. So, no you cannot run your "library" on ROS. Your only bet would be Metarouter https://wiki.mikrotik.com/wiki/Manual:Metaro...

Cha0s

There is TFTP on RouterOS https://wiki.mikrotik.com/wiki/Manual:IP/TFTP I've only used it to download files from the router, not upload. But the documentation mentions a 'read only' option, which suggests that you can upload files. read-only (default: no) sets if file can be written to, if set to "n...

Cha0s

Cha0s

Why use bonding when you have 2 BGP peers? Keep them both connected and use Routing Filters to manage which BGP peer has priority (or whatever policy you want). If your peers both connect to the same remote AS then you can look into MED (multi exit discriminator). Also no need to check for pings... ...

Cha0s

So basically I would just need to set 192.168.1.0/23 on bridge1, a shorter lease time and restart the DHCP server? I never did this in routeros, seems simple :). You don't even need to restart the DHCP Server. Just change the lease time on IP > DHCP Server. Also you will need to update any referenc...

Cha0s

I fully agree with that. I routinely use /23 /22 and /21 subnets without any issues. Furthermore, when you extend the existing subnet the existing addresses can remain the same. I agree. I've done it numerous times without a hitch. Especially on DHCP-only networks without anything statically config...

Cha0s

Just wondering, are these little things purely unable to reach that level of routing performance? Or am I missing something?

Yes, you are missing something. FastTrack.
https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Cha0s

On a datacenter environment (fixed ambient temperature at 21°C) my Mikrotik S+85DLC03D SFP+ modules run at ~40°C. The router health monitor shows a temperature of ~36°C. On an outdoor installation with an OPTIC-SFP-5324S-20-SC SFP module during winter (outside temperature between 0-15°C) it runs at ...

Cha0s

I recon you have full feed. and single core problem every question you make in cli will take forever. I guess that winbox can't be faster then cli can so..... Or am I missing something? This is a winbox issue. It doesn't have to do with the amount of cores. Even with 4-5k prefixes in the advertisem...

Cha0s

The 'Too Many Advertisements' bug *IS STILL IN WINBOX* after being a known issue for **literally years** now. You just need to remove this code totally. It does not work, and even the MESSAGE is buggy ... 'show them all.nPlease' ... Can you please just remove that entire bit of code? It doesn't wor...

Cha0s

It would be best when MikroTik would assign some more specific topic to this (and some other) log message. E.g. when it would not be logged as info but as info,fetch it would be easy to block this log by adding !fetch on the info topic log, and still log other info. Maybe do a scan of all logging a...

Cha0s

It would be nice but it wouldn't be secure (information leakage).

So I disagree. I would go as far to ask for the RouterOS version to be removed as well from the login page.
The less identifying information about RouterOS to non-logged in users, the better.

Cha0s

I am confused about everything the OP posted

I couldn't make any sense of what the request is...

Cha0s

AFAIK you cannot install ROS onto USB sticks, unless something has changed over the past years (I haven't tried in a long time).

Other than that, ROS will make very few to a lot of writes, depending on your configuration.

Cha0s

There should be a native Linux management utility that is open source. But there is. It's called SSH. You can access and manage/configure any RouterOS installation by these five methods: -WinBox (desktop windows App) -WebFig (Web based control panel with and without SSL) - if you can't access it it...

Cha0s

Whenever I have read the changelogs for the updated OS I have not seen anything that would affect me or would benefit me. Ever heard of "if it ain't broke, don't fix it!"? Well I am sorry to break it to you but... that sounds like your problem. The changelog DID mention a VULNERABILITY. So it WAS b...

Cha0s

Even worse, it sounds like the issue was fixed over a year ago, but nothing was mentioned about it in any newsletter or email I received from you. This WAS mentioned when it was fixed a year ago. Release 6.38.5 2017-03-09 What's new in 6.38.5 (2017-Mar-09 11:32): !) www - fixed http server vulnerab...

Cha0s

Since the rules you describe seem to not need Connection Tracking, then you should probably try first disabling the accept established/related rule and if that doesn't change anything. then move to raw table as you mentioned. I run a similar network to what you describe, with BGP and BFD for rapid c...

Cha0s

Looking away from RouterOS v6.x running IPv6 BGP [tables]? Not being able to verify IPv6 routing table (when not main table!) is really a big deal. (But seeing the routes exists by the number the route counter shows. :sigh:) And doing policy routing rules for anything else than main table in IPv6. ...

Cha0s

I am not sure blocking traffic with port 0 is wise. As far as I know, when the payload of a message is too large to fit in a TCP/UDP packet (see MTU), then it gets split into multiple packets (ie: fragmented packets). The first packet contains the TCP/UDP headers with the source/dest ports but the n...

Cha0s

I have a similar setup but since VRRP (with VLANs under it) introduced a huge overhead causing high packet drops and lag on high throughput (mainly during DDoS attacks - even if they were much smaller than what the uplink could handle) I reconfigured VRRP so that it's not in the data path but rather...

Cha0s

I have a similar issue but not exactly the same. At random times (I haven't been able to pin down what exactly is causing it) Winbox will show the exact opposite. Instead of the huge-unrealistic values you get, in my case, every 2-3 seconds all interfaces in interface list shows 0bpps/pps. It's not ...

Cha0s

+1 patric7 & pe1chl After 3+ years of waiting for the new routing engine, I am very skeptical of using CCRs and RouterOS for any other big project that comes to my way... As perfect as RouterOS in terms of usability (which tbh is the only reason I keep sticking to ROS), it's really limiting when use...

Cha0s

How does your monitor system (I can't tell which is it from the screenshot - never seen it before) connect to the router and subsequently reach the uplinks? Is there a switch in between? Do you monitor any other local devices (and the router itself)? Do you see the same latency spikes on local devic...

Cha0s

When is RBM33G to be released? My supplier was told that it would arrive in early January, then February and now we are on March and still nothing. This is all de javu of RB3011... I guess I'll have to stop reading any Mikrotik newsletter since they announce stuff that either get super delayed or ne...

Cha0s

Is that due to current RouterOS limitation or Mikrotik not embracing blackhole routing for IPv6?

It's a little bit of both IMHO.
IPv6 in MikroTik is generally very barebones compared to the features they have implemented for IPv4.

Cha0s

A switch is one of those parts that can never go down when used to switch storage traffic. Otherwise you are in for a long day (well... it depends on what you are using the storage for... I assume VMs since this is mostly the case these days). I wouldn't be very confident in using MikroTik switches ...

Cha0s

That file is almost 4 Megabytes. Many RouterOS devices have 16MB total storage size. Funny you should say that, we keep telling you that 16MB is not much. :) I was just about to say the exact same thing. 16MB flash is simply a joke in year 2018. It's one of those satisfying moments of ' I told you ...

Cha0s

If this app is not open source how can one be sure that data and access to routers are not logged, shared, or misused? What is the guarrantee here to expose oneself to a third private party? This is a serious concern. Sniff all the data that come in and out of your android device and see if it trie...

Cha0s

According to Normis the miniPCIe slots can be used for wireless adapters as well.

viewtopic.php?p=632854#p632854

Cha0s

I don't mind to wait for 2 reboot instead of one, if it'll go automatically. If the second reboot happens automatically before any network connectivity is up, then I don't mind that either. ROS boots rather fast (compared to the likes of Cisco for example). But making the whole network come down an...

Cha0s

Why not make it actually useful so that it will upgrade the firmware along with ROS at the same time with one reboot instead of two?

Having an option like this and still require to have to do another reboot is pretty much useless IMHO.

Search found 890 matches