MikroTik

Cha0s

Frankly since 802.11n, but I am curious what exactly they fixed.

Cha0s

Open Addresses.CDB with notepad and you will probably be able to find the password in there.

Cha0s

[joking]
I am using Windows 95, they have been working great for the last 25 years without any updates!
I've also been using no firewall, since firewalls are for newbs.

But, today I logged in only to find out that they were hacked!

How could this have happened???
[/joking]

Cha0s

*) wireless - fixed Nstreme wireless protocol performance decrease;

Can you give more information about this?

Cha0s

@mkx, you seem not to understand the problem.
As I wrote ... waste of my time.

Yeap! Added to foes... can't stand 100 posts per day blaming incompetence as bugs.

Cha0s

You mean constructive, like telling you exactly how to downgrade and you ignoring it?

Cha0s

Like I said: even the standard downgrade function does not work, as the version is the same as before, after the reboot. Then you are doing something wrong. Read the fine manual again and retry until you succeed. Only with exercise you will learn how to properly use ROS. [admin2@CRS125] /ip service...

Cha0s

I believe that Wireless Sniffer uses the same protocol as Packet Sniffer to stream the data to a server. TZSP

Cha0s

Go to the Switch window and then on the Port tab.

There you can set the Ingress and Egress rate of each interface.

Cha0s

You need to either set a different subnet for the modem (or LAN) or bridge ether1 and ether2 so they are both in the same broadcast domain. Right now you've got 10.0.0.0/24 for both the modem (ether1) and your lan (ether2) Also, you probably will need to set up a SNAT rule to be able to access the m...

Cha0s

It used to be different (I don't recall when they changed their licensing model) and a license would not cover unlimited major version upgrades. At some point (I think during v5) they changed this model. I've got licenses that I bought in 2005 using v2.9.x and have upgraded them to v3, v4, v5, v6 ov...

Cha0s

Like I said: even the standard downgrade function does not work, as the version is the same as before, after the reboot.

Then you are doing something wrong.
Read the fine manual again and retry until you succeed.

Only with exercise you will learn how to properly use ROS.

Cha0s

To upgrade you can use the System > Packages window and click on "Check for Upgrades". From there you can also change channels (stable, long-term, rc, dev) If you want to downgrade to a specific version, then you have to upload the packages manually to the router and then from the System > Packages ...

Cha0s

@Cha0s, what you suggest would likely work, but sending individual packets of the same TCP session via different physical paths is what 9 of 10 dentists advice against as that may cause packets to arrive to destination in shuffled order. So a good exercise but a possible headache if deployed in pro...

Cha0s

One way to evenly distribute the traffic among all interfaces with using pure ECMP (no routing marks, etc), is by disabling route cache in IP > Settings. This will make each packet to go through a different interface in round-robin fashion (I think), instead of per src/dst ip. So even a single conne...

Cha0s

What's broken in beta60? I use it on a lora gateway and I haven't noticed any issues (albeit - it's just a lora gateway). By the way, I kind of gotten used to the new icon-set, but it appears terribly low quality. Like using old gifs (256colors) in 90s web pages and manually setting the dimensions i...

Cha0s

Small DIN switches.. Wide input DC power. It'd be nice to be able to mount small switches on walls in closets, cabinets, backboards, industrial situations, etc... Good idea! Also something like what Nexans is doing with their Microswitches for FTTO. I've used them in a few buldings and while the id...

Cha0s

r00t, you are spot on!

(too bad there isn't a 'hear hear' or 'clapping' emoticon available)

Cha0s

Winbox is more than comfortable. If you don't feel comfortable with the current UI, then Winbox is not for you. You can look into TP-Link or Netgear. I hear their devices are VERY comfortable to use. Hey bro, I think you are too proud with wrong direction, I just suggest to Mikrotik for better user...

Cha0s

Check here: viewtopic.php?p=793526#p793526

Cha0s

Third, UI/UX dose not harm WinBox, it only interface to make more comfortable look and feel to use network as simple configuration. By definition changing the UI you change the interface . It's the "I" in UI. Winbox is more than comfortable. If you don't feel comfortable with the current UI, then W...

Cha0s

But now they are aspiring to be in the range of Enterprise hardware/software vendors, so such topics must receive top priority. Unfortunately they are just aspiring to get into the enterprise sector. They don't actually try to. I can't imagine any big enterprise that can wait for over 6 years for f...

Cha0s

I guess most of you have already noticed that <TAB> key does not move focus from one input field to another.

And double click on an input field does not select the text.

Cha0s

Also tried using the server feature in btest, but router can't connect to it, no matter if using UDP or TCP. Going to server tab, checking "Enabled" and pressing "Apply settings" does nothing. I don't even see open btest TCP port... Works ok here. Maybe your windows firewall blocks the incoming bte...

Cha0s

:global dns [:resolve "www.google.com"]     
:put $dns
216.58.212.4

Cha0s

What does SDN have to do with Winbox UI?

I strongly disagree with redesigning the Winbox UI.

Cha0s

I think it's more complicated than that. No matter what method you choose, how would you (automatically/inside ROS only) know that the bottleneck is between you and the ISP (thus the ISP cheating) or somewhere outside your ISP's network (depending on how/with who you perform the tests) ? If the ISP ...

Cha0s

Sure, that's all true (that was implied by my "user defined policy" comment).
But OP didn't mention anything about RIRs or the public internet or any "provider".

Those were your assumptions followed by a false statement about what the protocol can or cannot do.

Cha0s

BGP not allow to announce /24 to provider over eBGP but if you are in your network with iBGP you can do it! This is a false statement. BGP doesn't care about prefix length on its advertisements, regardless of eBGP or iBGP. You are confusing user defined policy (which yes, /24 is usually the smalles...

Cha0s

So... you are using Docker to run a fully virtualized instance of CHR using qemu.
Meaning this is not a container but a full fledged VM over Docker.

What exactly is the point of this?

Cha0s

Unfortunatley every time MikroTik features in a Linus Tech Tips video he never gives the product the showcase it deserves, makes me wonder if he really understands it! After watching their 10 Gbit home network video a while back and they were having trouble figuring out how to configure it/couldn't...

Cha0s

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well? ROS cannot work as a container. Do you happen to know whether RouterOS can be installed on the following dual-core ARM device with multiple Gigabit interfaces: http://wiki.banana-pi...

Cha0s

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well?

ROS cannot work as a container.

Cha0s

So I don't see this one getting fixed any time soon (even if it's fixed, it will probably never make it to each vendor's updates). Wow! Talk about bad prediction! Just today I got an update from Samsung! And while it didn't mention anything in the changelog, it appears that they included a fix for ...

Cha0s

BGP can and will announce any prefix length.

Check your filters, you probably discard any prefix smaller than /24.

Cha0s

I was waiting for this much more than for DoH but each has their own preferences I guess.

Yeah, DoH is cool, but DNS forwarding is more essential to me.
I personally had given up on it. So this was a pleasant surprise!

Cha0s

nz_monkey is spot on

Is this an subtle acknowledgement that you are working on it?

Cha0s

*) dns - added support for forwarding DNS queries of static entries to specific server (CLI only);
*) dns - added support for multiple type static entries (CLI only);

Finally!!!
Can't wait to test this one out!

Will forwarding be able to match regex entries also?

Cha0s

From what I understand this is an Android bug and it's not specific to MikroTik. So I don't see this one getting fixed any time soon (even if it's fixed, it will probably never make it to each vendor's updates). For the time being I switched to Wireguard, and so far I am very happy with it. I'll pro...

Cha0s

Android 9: terminates after about 83 seconds...

Also Android 10 on Samsung Galaxy S9+
Prior to the recent Android 10 upgrade from Android 9, it was definitely working for me without problems.

Has anyone found out any solution?

Cha0s

That's exactly what EoIP is for.

Cha0s

Pay attention to the implementation scheme, are there any comments? He just told you. The switches you are using are not routers. You need to put in proper routers if you need to route (not switch) traffic. MikroTik switches, are not L3 switches. They may technically be able to do routing, but not ...

Cha0s

This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig? Because it is a waste of developer resources. MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual. Seriously, the amount of posts as...

Cha0s

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job. That's why I hate the non-IT community . Instead of complaining about what you don't know how to use and asking to dumb down things, you should start by RTFM. It doesn't cost your job. It isn't even...

Cha0s

That what you wrote is still in the future. All major web servers support TLS 1.3 already. Browsers too. It is NOT in the future. It's already being rolled out. It has started since 2018. At the moment using DoH is futile if you want to have privacy. I remember back in the non SSL/TLS days, people ...

Cha0s

It is a FALSE assumption, that your traffic (metadata) is invisible when using HTTPS or/and DoH. When TLS 1.3 becomes mainstream, it will no longer be an assumption. Right now even using TLS, the ISP can see the domain you are visiting. After TLS 1.3 that will no longer be possible and the L3-L4 "m...

Cha0s

Agreed. New icon set is horrendous
Those new are just UGLY, one color type.
Yes! Bring our colors back! It is much easier to find something on a glance when it is different from its neighbors...

+1

Cha0s

People who asked to do the interface smaller probably work on a FullHD monitor because on a 4K monitor (3840x2160) the interface looks incredibly small even with the maximal zoom. Please make the interface bigger or add more zoom levels. QHD, and I still prefer it smaller than the default. The more...

Cha0s

I'll go slightly against the flow. Everyone seems to want things bigger, but I'd rather have them smaller. Or maybe better term would be more condensed. It's about one specific thing, line height. +1 Finally I see someone talking about UI efficiency and not looks! I too want to be able to see as mu...

Cha0s

ROS didn't use Quagga.

This is not true.
Back in 2.x days ROS was using quagga. And a rather buggy version at that.

But yes, the current implementation AFAIK is not based on quagga.

Cha0s

What did you try?

Cha0s

Use the Netwatch tool.

https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch

Cha0s

or use other more reliable ways.

Or just revert it back to how it was...

Cha0s

System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle. That is just plain silly! Now when I check for new version and click Download, or after uploading files using FTP, I cannot even check if the files were loaded completely bef...

Cha0s

I'd like to ask the developers if they can, so please kindly fix the bug, according to their natural priority ... It appears that Mikrotik's priority on cosmetic bugs is very very low. This bug has been reported many many times for many many months now and it has been thoroughly ignored by MikroTik...

Cha0s

Remove tr069 package, then manually upload the new packages (not the bundle) you need.

Reboot, and you are good to go.

Cha0s

Virtio

Cha0s

CHR's virtio/vmxnet3 based interfaces seem to always show "Auto Negotiation: Incomplete | Rate: Unknown".
License doesn't matter. You can try it yourself with a P10 demo license and it will still show Incomplete/Unknown.

Regardless of the negotiation status, it does actually work at 10Gbit.

Cha0s

What have you tried?
Post you configuration.

Cha0s

"my ISP does not offer it" To me this is kind of a chicken and egg problem. If ROS doesn't fully support it, then yes, ISPs based on ROS won't offer it, and then users won't use it, which in turn translates to "low demand" in MUMs, etc. IPv6 doesn't bring much benefit to the end user. Yeah they wil...

Cha0s

Today we got this announcement from RIPE. Dear colleagues, Today, at 15:35 UTC+1 on 25 November 2019, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses. Our announcement will not come as a surprise for network operato...

Cha0s

I don't think you can do that.

The way I understand it, if you need a prefix to be passed through the Anti-DDoS ISP, you need to only announce it via them and not any other ISP.
Otherwise, anyone that is closer to that other ISP will choose that path to reach you instead of the Anti DDoS ISP.

Cha0s

I've used various SFP+ modules on RB4011 without any issues. CISCO-AVAGO 10Gbase-SR SFBR-709SMZ-CS2 CISCO-AVAGO 10Gbase-LR SFCT-739SMZ FS 10GBase-ER SFP-10GER-31 OPTIC 10Gbase-SR S+85DLC03D MikroTik 10Gbase-SR S+85DLC03D And a few more (mainly 1Gbit) that I don't recall at the moment. As a matter of...

Cha0s

I don't know if I fully understand what you ask, but I believe that in order to achieve what you want, you stop announcing your prefixes to the worldwide ISP and only announce them to the Anti-DDoS ISP, and they in turn announce them to the world. This way your incoming world-wide traffic will arriv...

Cha0s

The next two Mum's are on the 14th of November and the 28-29 of November. My money is on Brazil in two weeks.

It got announced today in Athens' MUM.
https://youtu.be/ZKLtPiFoX4k?t=3514

Cha0s

Thank you for your opinion.

Cha0s

FastPath needs Route Cache to be enabled.

With route cache enabled, the router becomes almost completely unresponsive during any moderate SYN flood attack.

Cha0s

They will not get such contracts anyway, and those that do get them generally deliver equipment that is a little more sturdy. At its price, of course. Yeap, I agree. In my country at least, it is certain that the job will go to the company with the worst price and the most kickbacks to the politici...

Cha0s

I presume if port 80 is blocked, it will also try port 443 and even port 6568 as implied in the FAQ. Here are some logs from a corporate proxy blocking anydesk. 1572105939.836 0 x.x.x.x TCP_DENIED/403 2045 CONNECT 144.76.103.6:80 - NONE/- text/html 1572105941.837 0 x.x.x.x TCP_DENIED/403 2059 CONNE...

Cha0s

This is not a Docker image for ROS but for OpenVPN.

Not to mention that it hasn't been updated for over 4 years.
https://github.com/AlexBeznos/openvpn-mikrotik

IMHO, ROS on Docker (or any other container platform) is a waste of time.

Cha0s

Docker is a container.
ROS is not just a web server or some app to be run in a container.

It is heavily dependent on its kernel to implement many of its features.

So my guess is that there will never be a docker image for ROS.

Cha0s

could you please consider changing application bar/other WinBOX window component colour while in SafeMode? Regardless of information when exiting the app it would help to identify the current mode.

+1

Cha0s

MikroTik routers are fine for many purposes, but when it appears you are pushing the limits it may be time to look at others. Sadly, this is very true. I would love to see higher end models using ASICs (with the appropriate price tag) to be able to use MikroTik hardware for enterprise solutions. CC...

Cha0s

With only 60 routes, it is indeed annoying! If you try to login with a fresh/empty ( <none> ) winbox session, does it change anything? ingdaka on every single router I manage that has more than 1-2 thousands of advertisements, it always occurs. Without exception and regardless of architecture. Proba...

Cha0s

Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443. I never said blocking ports 80 or 443... in my previous post i said block the listening port which is not 80 or 443 ...

Cha0s

L7 firewall blocking is not recommended anymore...! Especially when what you want can be achieved by a simple TCP port block..! I don't think that a simple block will do it. https://support.anydesk.com/FAQ Which ports does AnyDesk use? To connect to the AnyDesk network port 80, 443 or 6568 is used....

Cha0s

One thing that may help replicate this issue is using the sfp port. Both times I have witnessed this and all times our tech support has witnessed this the sfp port is in use.

Interesting detail.

In my board that the issue occurs, I indeed use the SFP port.

Cha0s

For the problem to manifest you have to have no device connected to 5GHz wifi for a few hours. Then it "crashes". The title is a bit misleading. The interface doesn't get disabled, in that you don't see it disabled (greyed out) in winbox. It shows up/enabled fine in winbox/cli, but it doesn't trans...

Cha0s

Cha0s

For the problem to manifest you have to have no device connected to 5GHz wifi for a few hours. Then it "crashes". The title is a bit misleading. The interface doesn't get disabled, in that you don't see it disabled (greyed out) in winbox. It shows up/enabled fine in winbox/cli, but it doesn't transm...

Cha0s

"Broken" is rather vague.

Post proper pictures with proper lighting of both sides of all boards so we can see what the damage is exactly.
Posting 3 boards on top of each other, and on their back where there are no components, is just silly.

Cha0s

Please remove it, or at a minimum put it in a separate .NPK from the base OS. maybe a separate soho.npk that includes the torrent client, kid-control and SMB server..

Amen!

Cha0s

Wait, torrent wasn't a joke?

Torrent is an essential feature of every router!
DNS on the other hand...

Cha0s

At the moment there is no fully automated method in ROS to switch from a bad uplink (bad as in slight packet loss or increased latency somewhere between you and the destination - but still functional as far as ROS is concerned) to a backup/good one. You either have to resort to cumbersome scripts a...

Cha0s

I don't know (or care) about how LTE handles loss, etc, but I think we've got offtopic comparing this to LTE. LTE is just one type of Internet access and is irrelevant to the topic at hand IMHO. I can see this technology having significant benefits even if your uplinks are fiber based with 99.999% u...

Cha0s

I did Anav. One of the first hits was NordVPN, but I see it doesn't support MikroTik anymore. Hence I'm asking here. Since v6.45 MikroTik can connect to NordVPN without problems. using IKEv2. https://nordvpn.com/tutorials/mikrotik/ikev2/ https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_...

Cha0s

Cha0s

Yes, ~45 degrees seems to be the norm for this device.

graph.php.png

Here's a comparison between RB3011 and and RB4011 that replaced it around a month ago.

Cha0s

Several days passed, still no replies and not a single email about this issue. Is the RB4011 5GHz issue resolved? The problem still exists. For me it took about 29 days on a brand new RB4011, before it occurred. Since then the wifi gets disabled (stuck in "initializing") in less than a day for 3 da...

Cha0s

Mikrotik doesn't block Google Translate, or any other service for that matter. All RouterOS does, is route packets from one network to another, according to however you configure the device to do so. It doesn't take it on itself to decide whether you should be able to access a webservice or not. If ...

Cha0s

Don't touch my WinBox, it's one of the best tools invented by mankind, and it's perfect as it is now. It's like trying to reform hammer, sure you can come up with something else that's not bad either, but it still won't be good replacement for the simple and reliable tool in all cases. Native WinBo...

Cha0s

*) system - accept only valid string for "name" parameter in "disk" menu (CVE-2019-15055);

I guess asking for more info on that is pointless until you provide an update for stable/long-term channels, right?

Cha0s

Yes, I am aware of that, but how do the others do it, at train stations, airports ... ? a few weeks ago I set up a WLAN connection at the airport and I couldn't download any files. So there has to be a solution. I doubt they were able to block files download over an HTTPS connection. Only whole dom...

Cha0s

Strangely enough, URL Block also works for HTTPS pages. This works here, for example: ^.+(youtube.com|facebook.com).*$ Domain block (not URL block) works because the domain is visible (unencrypted) during the TLS session setup between the browser and the server. After that, you cannot see anything ...

Cha0s

This L7 Regexp does not work anymore since update: \.(exe|dmg|cab|msi|flv|mp2|mp3|m4a|mp4|torrent)($|\?) I used this to block file download. I also don't know which MikroTik version I had before. I think it was the 6.43. You do understand that this is useless in an ever growing https world, right?

Cha0s

Probably something wrong on your side. An antivirus messing up with the downloads maybe?

All links work fine on my end.

Cha0s

I've got a few of the non wifi RB4011 models and I have no issues. In fact I found that RB4011 was the only model that I could saturate the uplink with a single connection over IPsec, while others couldn't go much higher than 150Mbps (and that with multiple connections only). Granted, my configurati...

Cha0s

Almost two years have passed, and absolutely nothing has changed.

CCRs still cannot route (not drop) a moderate flood of SYN packets.

Cha0s

cpu spikes
Huh?..

Do you want to elaborate more?

Cha0s

Also, Winbox on Linux/Wine is definitely heavier/slower than on windows. Each screen refresh causes cpu spikes when having multiple windows open.
On windows there is no such cpu usage no matter how many windows I have open in winbox.

Cha0s

Last Link Up/Down Time botched. It started happening to me (951G-2HnD, 941-2nD) on the latest stable ROS 6.45.1 / WinBox 3.19. Ethernet and ppp links. WinBox Terminal - correct: last-link-down-time=jul/08/2019 12:31:21 WinBox Interface List - wrong: Last Link Down Time: Jul/14/2019 09:44:52 Today i...

Cha0s

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused. While you are at it, will you fix the interfaces last up/down times on winbox that are in the future?

Cha0s

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

Cha0s

You are looking for ECMP - Equal Cost Multipath. https://wiki.mikrotik.com/wiki/Manual:BGP_Load_Balancing_with_two_interfaces ECMP by default (route cache=on), will load balance per connection and not per packet. By disabling route cache (in IP > Settings) then ECMP load balances per packet on all a...

Cha0s

2 Mikrotik Team Do you confirm some troubles with GRE interfaces + IPSec (transport) ? What we have to do in that case? Maybe there is something special with update? For example: We have to update passive sites first to 6.45.1 and after main router to 6.45.1 Or another way? Thanks! I have IPsec tun...

Cha0s

I agree with pe1chl. phpBB can also send mails using the native mail() function of PHP, which by default will send mails using sendmail executable to localhost. This can be blazing fast since it doesn't even care if the local MTA is loaded or not or even running at all. It writes directly to the fil...

Cha0s

i upgrade my RB433AH after that...i couldn't access with current user and password and with admin???? . My observation is that after a reboot, the first login attempt fails ... subsequent logins are successful. This behavior has been reproducible after every reboot, of the single device I'm testing...

Cha0s

NETMAP needed.

not nat.

You mean NPT, and both NAT66 and NPT (or netmap) are types of NAT.

Cha0s

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

+1

Cha0s

If you have many custom settings, then you should most definitely not use quickset. If you can still sensibly change settings using quick set, then ... you don't have that many settings after all. I'm sorry but reset is not a solution Then you shouldn't use Quickset. Quickset is only for initial se...

Cha0s

That wrong time is a "known problem" that was introduced several versions ago, not with this version. It likely is already on the list of things to fix. Also I believe it's a winbox bug and not a ROS bug. CLI shows the correct times. IIRC deleting the session on winbox also shows the correct times ...

Cha0s

LtAP mini Kit has two SIM slots. Is it possible you are using the wrong SIM slot?

They way those slots are it's not always clear weather you've inserted the SIM on slot 1 or slot 2 (they call it up/down in System>Routerboard>SIM menu).

Cha0s

What does the browser's web developer's tools console shows when it cannot load the iframe? If the iframe url can load when accessed directly, then it's almost certain that it is not a networking/MTU/MSS issue. Is it possible that the client's browser is messed up (or some other software is messing ...

Cha0s

MikroTik has no L3 switch that can do wirespeed routing. Can can do L3 stuff on MikroTik switches, but the performance will be way lower than 10Gbit (maybe even lower than 1Gbit) since all those functions are done on the CPU and not on the switch chips. The CCR line are not switches but routers. Tha...

Cha0s

Just got an RB4011iGS+RM. It has 512MB flash, so I might have been interested, but the online documentation states that it's only available for MIPS, TILE and PowerPC. Too bad. RB4011 perfectly supports multiple partitions. I am using it on multiple RB4011s. AFAIK as long as you have >=64MB of flas...

Cha0s

If you double click on the source address it gets copied to the Src. Address Filter field.
Same goes for Destination address.

No the best solution, but it's better than nothing.

Cha0s

For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact". After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.). Parse the config, check if anything changed against last retrieved config. If a change is ...

Cha0s

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk? Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc? Usually a configuration management system does this for you. Unimus does this out-of-the box and you c...

Cha0s

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated. In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostnam...

Cha0s

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Cha0s

+1 for TACACS+ support

Cha0s

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

When will it be fixed? This has been reported for many releases by now.

Cha0s

I confirm the problem.

Cha0s

Check this MUM presentation https://mum.mikrotik.com/presentations/ ... _Nikos.pdf

Cha0s

On RB951 and similar boards, I don't expect the best performance and I don't think PHP should be supported at all on these models due to the low power CPU and resources. But for the more capable models, like RB3011, RB4011, CHR and CCR-series, it could be a nice addition. Yeah, but that ain't gonna...

Cha0s

Legal limits are about EIRP. EIRP is not Tx power at transmitter's RF connector, it's power at antenna perimeter. And that value is affected by antenna gain. Which is not how most of WiFi users (and, sadly, WISPs) understood things ... I remember attending a Netgear "seminar" back in 2005-2006ish a...

Cha0s

PHP Support for webpages. So, that we can make advanced webpages without visible scripts (JavaScript is visible to the user, PHP scripts are not). I know MikroTik's webserver is meant to provide the basics, but you don't always have the space and budget to place an external webserver (and no.... a ...

Cha0s

In year 2019 - this RB belongs to the trash

Besides suggesting putting it in a landfill, polluting the environment for no good reason, do you have anything on-topic to suggest?
Like for example, what is the value of C78?

Cha0s

Those are C67 and C68 and their value is: 560μF 6.3V 105°C

While we are at it, does anyone know the value of C78?
It's right behind the DC barrel connector and it's an SMD one.

ima_82b5a40.jpeg

Cha0s

AFAIK there is no such option.

On the other hand, MikroTik is a router, not a NAS device. Don't use it like that.

Cha0s

That (voip) explains the high packet rate but low bandwidth I saw on your screenshots. Unless you use NAT, you don't need the SIP direct media helper (and I think it doesn't even get involved in forwarded traffic when there is no NAT). Also, connection tracking in general, with lots of connections a...

Cha0s

Same with the web interface.

Cha0s

+1 by me as well.

Cha0s

You cannot bond at the CHR level. Right now you are bonding two virtual NICs that connect to a Virtual Switch. Not Nexus. You should do the bonding at the ESXi level. But from there I don't know how you could get more that 10Gbps on the CHR. I've read some posts that the VMXNET3 driver doesn't reall...

Cha0s

Upgrading from 2.8 to 2.9 on a CSS106-5G-1S causes severe traffic drop between 1G ports and 100Mbit ports. It's random from 0 to 40Mbps. Reverting back to 2.8 traffic increased back to steady 100Mbps. Are there any errors in interface stats when using v2.8 or v2.9? No errors at all on any port.

Cha0s

Upgrading from 2.8 to 2.9 on a CSS106-5G-1S causes severe traffic drop between 1G ports and 100Mbit ports. It's random from 0 to 40Mbps.
Reverting back to 2.8 traffic increased back to steady 100Mbps.

Cha0s

Same here

Cha0s

I did as much reading as I could both with the sparse supplied docs and what was online before and during my efforts!! I have winbox v3.18, I fail to see a safe mode. FWIW, been doing router stuff etc. since 1989 but I am not an "IT Professional" Everything about RouterOS is documented here: https:...

Cha0s

Maybe something link this (to accommodate for the time requirements). /ip firewall nat add chain=dstnat src-address=192.168.1.116 time=22h-7h,sun,mon,tue,wed,thu,fri,sat action=dst-nat to-addresses=192.168.1.20 Also, this thread needs to be moved to some other category. It has nothing to do with wir...

Cha0s

You can add all the prefixes (/22, /23, /24) in Routing > BGP > Networks. And then use separate filters on each peer to filter out which of those prefixes will be announced to each BGP peer. I suggest you first create the filters, apply them to the BGP peers and then add the more specific prefixes t...

Cha0s

3. Cannot find my router in Netinstall. Ethernet cable to Ether1 slot from my laptop, no other network connection and strictly follow instruction.

Try connecting to port 12 instead of port1.
viewtopic.php?p=399474#p399474

Cha0s

Thanks! That resolved the issue!

Cha0s

Just to clarify (if anyone else wants/can reproduce this), the config regarding the virtual wlan interfaces was, 1 virtual wlan interface per physical wlan (one for 2.4GHz and one for 5GHz) both added to a bridge.

Cha0s

Symbol: ` in WLAN SSID brake all wlan interfaces. Or even not a symbol, but a virtual WLAN. When I create a virtual WLAN and reboot hap ac^2, I don't see all interfaces and export doesn't work in the console. DimaFIX - Please send supout.rif file from your router to support@mikrotik.com. If I add s...

Cha0s

Symbol: ` in WLAN SSID brake all wlan interfaces. Or even not a symbol, but a virtual WLAN. When I create a virtual WLAN and reboot hap ac^2, I don't see all interfaces and export doesn't work in the console. DimaFIX - Please send supout.rif file from your router to support@mikrotik.com. If I add s...

Cha0s

The column sorting is done in the browser with Javascript, not in the database. I am just saying that sorting, the way it works now, it's pretty much useless on fields that do not contain plain numbers. If I want to sort by memory or cpu frequency the results are all over the place. Also if that's n...

Cha0s

Very nice!

Column sorting is a bit of a mess (nothing is sorted properly, except for columns with plain numbers), but we can live with it

Cha0s

How long does RouterOS take to shut down typically? I cannot find any indication of the progress once shutdown has been initiated? How vital it is to always shut down a unit properly (referring to SXT-LTE)

It takes just a few seconds. You don't really need to shut it down before removing power.

Cha0s

The problem occurred on both updated devices with the new cloud service and old devices with the old cloud service.

It just started to work the next day. But only after it caused havoc on vpns and other stuff that were based on ddns.

Cha0s

Yes, I just checked from other locations/ISPs too and it won't update.

Cha0s

After a long lasting power failure at the power company, when the router came back up it will not update its ddns via IP>Cloud. It is stuck on 'updating...' for well over two hours and does not actually ever update its ddns. Screenshot_8.png The router is an hAP ac^2 running v6.43.4 The router can r...

Cha0s

For SSL/TLS enabled websites, you definitely cannot inject advertisements (or anything else for that matter).
Regardless of which hotspot vendor you use (thankfully it's a protocol security measure, not a vendor limitation).

Cha0s

those use routeros, https://lorrier.com/ The LoRaWAN part is implemented with BeagleBones using the SPI bus. They use ROS only for the networking part, behind the BeagleBones. The gateway is based on iC880a LoRaWAN™ concentrator by IMST which uses Semtech SX1301 base band processor designed for use...

Cha0s

It just happened to me on one of my SSTP VPNs with version 6.34.4.

I get the same error in the logs. 'nonce not matching'

Cha0s

Try reinstalling the OS by doing a Netinstall.
https://wiki.mikrotik.com/wiki/Manual:Netinstall

Cha0s

*) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);

Thanks for including this fix.
It works ok now

Cha0s

So now my problem would be whether I need a better model.

No, you don't need a better model. You need to configure FastTrack and you will able to reach 1Gbps.

Cha0s

Hello, Based on your setup, you may get less than gig. If you look at the gr3 specs, you'll see that with filters and bridges, throughput goes down depending on packet size. Regards Sent from Tapatalk Is there anything I can do to get the full speed on RB750Gr3? I am keeping the minimum setting as ...

Cha0s

Hi, Which is the best current configuration to the Mikrotik integration with FastNetMon? I'm using those: * Cache entries = 128k * Active Flow Timeout = 00:01:00 * Inactive Flow Timeout = 00:01:00 Netflow version = 9 Template refresh = 30 Template timeout = 30 FastNetMon is receiving data correctly...

Cha0s

After upgrading to 6.43.2 from 6.42.7 you can no longer have multiple IPsec peers to the same destination IP but with different source addresses. This regression is said to be fixed in 6.44beta14. Please check the change log in the post here . And I'd expect this kind fix to be merged to 6.42.x lat...

Cha0s

After upgrading to 6.43.2 from 6.42.7 you can no longer have multiple IPsec peers to the same destination IP but with different source addresses. Screenshot_17.png This worked fine on 6.42.7. What's the reasoning behind this restriction? I need multiple peers to the same destination but using differ...

Cha0s

Sure, So next time you login to your web-banking do not check for TLS. Just go blindly with http. Don't even check if you typed the correct domain or weather you got hijacked and redirected to another domain. What's the point anyway? Too many parties involved! :facepalm: People, it's 2018. Not 1996....

Cha0s

Why shame? Because there is no excuse anymore for any service to run without TLS. Certificates are free (if not dirt cheap for those that don't - for whatever reason - like Let's Encrypt). Why should any entity between the router and the update server even need to know what is being downloaded? TLS...

Cha0s

Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" d...

Cha0s

There is no way to present your message saying that the page is blocked. Besides encryption, the point of https is authenticity. If you could modify what the user could see then anyone could modify any https page leading to terrible security issues. So, no. Unless you create your own CA and install ...

Cha0s

And another interesting thread on the subject viewtopic.php?t=110925

Cha0s

+1
I've requested this back in 2014.
viewtopic.php?f=19&t=90564

Cha0s

So, us, professional users of ROS, that use it every day, should have to get stupid warnings, because of dummy users that mess up their firewall and never even bother to login to their routers ever again. Who exactly will this message be for then? Please. Stop trying to convert RouterOS to a 'DummyO...

Cha0s

Everything outside default protection rules. It should be only warning, nothing else.

So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?

Cha0s

Thanks!

Cha0s

Stop the use of the bundle package

+1

I don't see any benefit with the bundle package. It only confuses people.

Cha0s

I have set up automated exports and the output is saved in version control system, so I know what exactly changed and when.

Can you give more info on your setup/workflow?
I am interested in implementing something similar.

Thanks.

Cha0s

I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades. :lol: I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates. Another example is Dropbox. It upgrades whenever it feels like it. No notification, no...

Cha0s

I vote NO NTFS, and I also vote to remove SMB, or at least make it a package that I can remove. Better yet, move all of the "home user" features into a separate package so that us enterprise customers don't have to have that type of stuff in our routers. I vote +1 for making all SOHO features a sep...

Cha0s

Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ? I think that I wouldn't want my 160.000€ car to stop whenever it feels like it s...

Cha0s

Not true.

There is a software implementation that works on Linux.
https://sflow.net/about.php

Cha0s

Also, after the netinstall, I configured everything manually, I didn't restore the configuration from a backup just to make sure that the 'problem' was not restored with it. But it didn't make any difference.

Cha0s

I still haven't found any solution. I did a netinstall and the problem persists. As a temporary workaround I've set up a VM with MikroTik which acts as the router for IPv6. So I have a static route from the CCRs to that VM via a physical interface instead of the VLAN interfaces, and then I have the ...

Cha0s

Well,

You are the expert. Why don't you explain it to us then?

Cha0s

There's also an "Alerts" section in DHCP Server which can monitor for rogue DHCP servers and alert you. https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Alerts It also allows for "On Alert" scripting which could be used to disable the offending ports or apply firewall rules. There's a relevant p...

Cha0s

Have you tried TP-Link or D-Link?

I am sure they are much easier with all their wizards whistles and bells.

If you find RouterOS hard, then it's probably not for you.

Cha0s

If your RouterOS version is between 6.29 and 6.42 you might be able to get a list of all users/passwords using this exploit: https://github.com/BigNerd95/WinboxExploit

Cha0s

This has been asked many times since the new routerboot firmware versioning but it has been ignored.

Cha0s

I noticed that interface "last link up/down times" are in the future.

interface up-down wrong time.png

Cha0s

Sigh.... I give up.

Cha0s

August 20?

So 6.42.7 does NOT contain a fix? Because the build time is Aug/17/2018 09:48:44.

Cha0s

I can confirm that the security fixes were added to the notes after the 6.42.7 thread was already posted! Why was this? https://i.imgur.com/dN9k4D4.png This is bad. I check for updates every day on this forum. The day this release was posted, I read the full changelog and there was nothing of conce...

Cha0s

The bridge does what it says. It bridges multiple ports/interfaces together. It's pretty much a "software switch". https://en.wikipedia.org/wiki/Bridging_(networking) In this instance it will take all interfaces (except the first one) and make them act as a switch so all of them can communicate with...

Cha0s

Another way would be to create an address list, add there the domains you want to block and then create a drop filter rule using that address list as the destination. I believe this is the less resource hungry solution. No need to open any packet to check anything (TLS or otherwise), and you are act...

Cha0s

Hi, You just need to write Destination-nat for those servers with different port number and specify the DNS records in your ip/dns/static for those two servers then you can open it from outside with one public ip address. (You just need to know about destination nat and PAT-port address translation...

Cha0s

In my experience, if you upgrade from (much) older versions using System > Packages > 'Check for updates' menu (ie: not manually uploading the packages to the router), it will first upgrade to an intermediate version and then you have to perform another upgrade to get to the latest version. I haven'...

Cha0s

Yeap, I've seen this too.

But I think it is solved by 6.42.5. I haven't seen it for a while now.

Cha0s

Currently is easy to make a brute force search for mikrotik devices using the cloud service as the names follow an simple pattern and is just an DNS query. The serial number consists of 12 hexadecimal characters. I wouldn't call making 184884258895036416 (12^16) dns lookups 'easy'. It's easier to j...

Cha0s

To go to a HTTPS page you most of the time need a initiate that on http. Those days are almost gone. HSTS Plus, all major browsers have their own predefined list of major websites that support https and will connect only to https even if you only type the domain in the address bar. https://hstsprel...

Cha0s

Yes we have to start somewhere. How about users start to read how networks work and don't make stupid mistakes like disabling a firewall? Where to start.... You talk about doing MITM essentially to modify forwarded traffic. That's preposterous! And what about TLS? Everything moves to TLS. Doing it o...

Cha0s

Try downgrading to an older version by manually uploading only the packages you want. After uploading you hit the 'downgrade' button on the Systems > Packages window It should downgrade and remove all other packages. After that, you can then use System > Packages > Check for updates to upgrade to th...

Cha0s

RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version. If ignored then after two weeks the router only functions when you are initiating an update. A...

Cha0s

So far I've narrowed down this to VLANs. Using IPv6 on normal interfaces works without any packet lost. Using IPv6 on VLAN interfaces (under an sfp+ interface - if it somehow makes any difference) will cause random packet loss to random IPs. It's like the neighbor solicitation/advertisement packets ...

Cha0s

It's monstrous! You're kidding, right? I have never seen people that you say "You have shit on pants" and he said "they are new and clean." I just said about the manufacturer's oversight, and you're proving to me that everything is perfectly well thought out. Hilarious. (On salary in Mikrotik?) In ...

Cha0s

I also never received an email about the winbox exploit. Mikrotik claims to have sent it, does anyone actually have a copy of it?

Same here. I only got an e-mail on March 29th about the www vulnerability. Never for the winbox vulnerability.

Search found 972 matches