Community discussions

MikroTik App

Search found 44 matches

by minfrin
Fri May 29, 2020 8:26 pm
Forum: General
Topic: Collectd monitoring via SNMPv3 - Timeout (plaintext scopedPDU header type 00: s/b 30)
Replies: 1
Views: 610

Re: Collectd monitoring via SNMP - Timeout (plaintext scopedPDU header type 00: s/b 30)

Turns out all routerboards default to the same engine-id by default. This confuses net-snmp, and in turn collectd-snmp, which use one engine definition for all unrelated connections. One router works, all other routers reject the packets, and trigger the timeouts. Workaround is to manually set a uni...
by minfrin
Fri May 29, 2020 7:14 pm
Forum: General
Topic: snmp,debug v3 err: 1 not in time window or incorrect engine boots
Replies: 1
Views: 493

Re: snmp,debug v3 err: 1 not in time window or incorrect engine boots

What it means is that two or more hosts (in this case routerboards) have the same SNMPv3 engine ID, and net-snmp has mixed up the hosts it has been told to monitor, and is using the engine ID from one router to send requests to another. In this case you will see one router return SNMPv3 data as norm...
by minfrin
Thu May 28, 2020 5:18 pm
Forum: General
Topic: snmp,debug v3 err: 1 not in time window or incorrect engine boots
Replies: 1
Views: 493

snmp,debug v3 err: 1 not in time window or incorrect engine boots

Hi,

I have a router that responds as follows to an SNMPv3 request:

snmp,debug v3 err: 1 not in time window or incorrect engine boots

What does it mean, and how do I fix it?

Regards,
Graham
--
by minfrin
Sun May 24, 2020 2:07 pm
Forum: General
Topic: Collectd monitoring via SNMPv3 - Timeout (plaintext scopedPDU header type 00: s/b 30)
Replies: 1
Views: 610

Collectd monitoring via SNMPv3 - Timeout (plaintext scopedPDU header type 00: s/b 30)

Hi all, Trying to monitor various routerboards using collectd. Snmpwalk using SNMPv3 works great, I can connect to the routerboards no problem. In the case of collectd, I can connect to one big switch and get a response, or two small switches and get a response, and more than that and the attempts t...
by minfrin
Thu Apr 30, 2020 12:42 am
Forum: RouterBOARD hardware
Topic: hEX S + SFP+ in the near future?
Replies: 1
Views: 1041

hEX S + SFP+ in the near future?

Hi all,

Is there any chance of one of these with SFP+ on the roadmap?

https://mikrotik.com/product/hex_s

Regards,
Graham
--
by minfrin
Sun Feb 16, 2020 1:36 am
Forum: General
Topic: SCEP and https URLs: failure: Not a HTTP URL!
Replies: 0
Views: 1989

SCEP and https URLs: failure: Not a HTTP URL!

Hi all, When adding a SCEP server that is part of a wider SSL secured server, the following error occurs: [minfrin@router] /certificate> add-scep template=test-name scep-url=https://interop.redwax.eu/test/simple/scep failure: Not a HTTP URL! Are there plans to fix the SCEP client so that it can conn...
by minfrin
Sun Feb 16, 2020 1:11 am
Forum: General
Topic: Certificates and the Y2038 bug: invalid-after=jan/01/2038
Replies: 0
Views: 1510

Certificates and the Y2038 bug: invalid-after=jan/01/2038

Hi all, Testing some interoperability on routeros v6.46.3, and have picked up that a digital certificate cannot be valid past Jan 1 2038. The certificate in question is valid until Feb 6 16:38:56 2040. 1 T name="test-name_CA" issuer=CN=Redwax Interop Testing Root Certificate Authority 2040,O=Redwax ...
by minfrin
Mon Nov 19, 2018 12:18 pm
Forum: General
Topic: How do you use ssh agent forwarding on the routeros ssh client?
Replies: 9
Views: 1655

Re: How do you use ssh agent forwarding on the routeros ssh client?

Unfortunately port forwarding (whether using the command line or config) only allows you to jump one step past a mikrotik, and is therefore not useful in a secure environment.

Can you confirm when SSH agent forwarding will be supported?
by minfrin
Fri Nov 16, 2018 12:43 pm
Forum: General
Topic: How do you use ssh agent forwarding on the routeros ssh client?
Replies: 9
Views: 1655

Re: How do you use ssh agent forwarding on the routeros ssh client?

How do I get this supported by Mikrotik?

We have a strict no password policy, and the inability to forward keys make it difficult for us to enforce that policy.
by minfrin
Thu Nov 15, 2018 7:35 pm
Forum: General
Topic: How do you use ssh agent forwarding on the routeros ssh client?
Replies: 9
Views: 1655

How do you use ssh agent forwarding on the routeros ssh client?

Hi all, I have routerboard B, that I need to ssh to via routerboard A. All user accounts are protected by SSH keys. I am struggling to get ssh agent forwarding to work. When I log into routerboard A I can log into successfully, but when I log into routerboard B I am asked for a password, when I shou...
by minfrin
Wed Nov 14, 2018 11:36 pm
Forum: Beginner Basics
Topic: Need help - cannot enter admin page on CAP AC
Replies: 6
Views: 4173

Re: Need help - cannot enter admin page on CAP AC

I have exactly the same problem - brand new CAP ac, and it does not have an IP address on boot. No access to a PC, and therefore no ability to run winbox. DId you ever solve this? Edit: Moments later I stumbled on a post that recommended using /tool mac-telnet <MAC> from another mikrotik - this work...
by minfrin
Sat Oct 13, 2018 12:38 am
Forum: General
Topic: IKEv2 VPN and IPv6-tunneled-in-IPv6 - is this supported?
Replies: 2
Views: 546

Re: IKEv2 VPN and IPv6-tunneled-in-IPv6 - is this supported?

Maybe you're looking for Cisco's ipv6 encapsulation with GRE header? You can add ipv6 in ipv6 by this method I think.
Will this work with a MacOS / iOS / Windows 10 VPN client?

Currently IPv4-in-IPv6 works with MacOS VPN IKEv2, looking for IPv6-in-IPv6.
by minfrin
Thu Oct 11, 2018 3:45 pm
Forum: General
Topic: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?
Replies: 5
Views: 1967

Re: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?

Wait. Depending on how the certificate of the RADIUS is generated (self-signed or signed by CA), the RADIUS server must provide the complete chain and the Mikrotik must either have that certificate itself (if it is self-signed) or the CA certificate (if it is signed by a CA) in its trusted certific...
by minfrin
Thu Oct 11, 2018 3:33 pm
Forum: General
Topic: IKEv2 VPN and IPv6-tunneled-in-IPv6 - is this supported?
Replies: 2
Views: 546

IKEv2 VPN and IPv6-tunneled-in-IPv6 - is this supported?

I have successfully got an IPv4 tunnel running through an IPv6 connection, and this works successfully (for the record, the config is below). Does RouterOS support an IPv6 tunnel running through an IPv6 connection? If so, what must the policy look like to make this work? /ip ipsec mode-config add ad...
by minfrin
Fri Mar 02, 2018 3:41 pm
Forum: General
Topic: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?
Replies: 5
Views: 1967

IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?

Hi all, I have successfully configured routeros to allow VPN clients to connect via IKEv2, backed with radius, and authenticating using EAP-TLS (no passwords). The config is below. What I discovered is that this configuration would only work if I took the private key and certificate of our radius se...
by minfrin
Fri Aug 07, 2015 3:52 am
Forum: General
Topic: IPv6 multicast - preventing the swamping of switch ports
Replies: 0
Views: 386

IPv6 multicast - preventing the swamping of switch ports

Hi all, I have an IPv6 multicast source that is providing a number of multicasted channels into a Mikrotik 750G on various multicast addresses. Other ports on the 750G are currently being swamped by the traffic, and I'm trying to find a way to cut this traffic down. I understand that Multicast Liste...
by minfrin
Thu Mar 05, 2015 7:38 pm
Forum: Wireless Networking
Topic: EAP-TLS, radius and Session-Timeout: timeout doesn't seem to have any effect
Replies: 0
Views: 634

EAP-TLS, radius and Session-Timeout: timeout doesn't seem to have any effect

Hi all, I have an AP running a wifi network backed with radius and EAP-TLS, and this is working fine. What I'm struggling with is trying to convince the AP to re-authenticate the client with the radius server, just in case in the mean time, access has been revoked. I have configured the radius serve...
by minfrin
Tue Jun 11, 2013 7:46 pm
Forum: General
Topic: OpenVPN and IPv6
Replies: 11
Views: 4694

Re: OpenVPN and IPv6

I have managed to find references that say that IPv6 works with openvpn in ethernet mode (http://forum.mikrotik.com/viewtopic.php?f=13&t=38026#p187333), it would be good to get a definitive answer. What I have found is that the tunnel seems to be established without a problem, and IPv4 works. The IP...
by minfrin
Tue Jun 11, 2013 3:31 pm
Forum: General
Topic: OpenVPN and IPv6
Replies: 11
Views: 4694

OpenVPN and IPv6

Hi all, I am trying to set up an openvpn server and a RouterOS ovpn client, and have successfully got this working for IPv4. I am now trying to set up openvpn to hand out an IPv6 address, and I am struggling, the openvpn side logs that an IPv6 address is offered to the RouterOS side, but the RouterO...
by minfrin
Mon Oct 08, 2012 1:57 pm
Forum: General
Topic: Feature request: SSL/TLS support for "/tool fetch" (https)
Replies: 4
Views: 1749

Feature request: SSL/TLS support for "/tool fetch" (https)

Hi all, Are there any plans to support https with /tool fetch? It turns out that /tool fetch is used to implement many of the dynamic DNS services, and because the password is revealed to the net in clear text, an attacker can take over the dynamic DNS account. I'd like a way to prevent this. Regard...
by minfrin
Sun Jun 17, 2012 6:26 pm
Forum: General
Topic: ipsec with remote-certificate: Invalid ID length in phase 1
Replies: 1
Views: 3174

Re: ipsec with remote-certificate: Invalid ID length in phas

Adding some more information, the message "Invalid ID length in phase 1" appears inside the racoon code, and means one of two things: - The DN of the certificate presented by server doesn't match the DN expected by the routerboard. - The user FQDN provided inside the subjectAltName doesn't match the...
by minfrin
Sat Jun 16, 2012 3:28 am
Forum: General
Topic: ipsec with remote-certificate: Invalid ID length in phase 1
Replies: 1
Views: 3174

ipsec with remote-certificate: Invalid ID length in phase 1

Hi all, I have configured a routerboard to establish an ipsec transport policy to an openswan peer, where both sides are authenticated with digital certificates, each one signed by a separate CA, one CA for (what will become) the concentrator, and a second CA for (what will become) the Mikrotik clie...
by minfrin
Tue Jan 10, 2012 6:25 pm
Forum: General
Topic: Wpa2-eap + radius Filter-Id - does this work?
Replies: 1
Views: 627

Wpa2-eap + radius Filter-Id - does this work?

Hi all, I have a wireless access point, configured to use wpa2-eap against a radius server to authenticate. So far, this works fine. I've configured the radius server to return the Filter-Id attribute in an effort to create a custom firewall rule for each person connected to the access point, but so...
by minfrin
Mon Jan 09, 2012 12:54 am
Forum: General
Topic: EAP and WISPr-Redirection-URL: redirecting users after login
Replies: 0
Views: 889

EAP and WISPr-Redirection-URL: redirecting users after login

Hi all, I have an EAP-TLS secured network that allows people to authenticate using radius, and so far this is working fine. What I'd like to do, is for certain users, based on the radius response, I would like to redirect them to a given webpage on connection, like you would with a hotspot. I've tri...
by minfrin
Tue Dec 27, 2011 7:44 pm
Forum: Wireless Networking
Topic: iPhone4 to Mikrotik wpa2-eap - connection never completes
Replies: 3
Views: 1932

Re: iPhone4 to Mikrotik wpa2-eap - connection never complete

The message "dhcp2 offering lease ... without success" was the key in this case, I needed to add an entry beneath "/ip dhcp-server network" for that specific DHCP pool, which for some reason was missing.
by minfrin
Tue Dec 27, 2011 5:50 pm
Forum: Wireless Networking
Topic: iPhone4 to Mikrotik wpa2-eap - connection never completes
Replies: 3
Views: 1932

Re: iPhone4 to Mikrotik wpa2-eap - connection never complete

I had originally tried wpa2-eap, and the iOS v5.0.1 phone had failed with the same effect. I have now managed some more experimentation, a second iPhone4 running iOS v4.3.5 successfully connects, but for no clear reason the DHCP doesn't complete. If you attempt to renew the lease on the iOS v4.3.5 d...
by minfrin
Tue Dec 27, 2011 4:24 am
Forum: Wireless Networking
Topic: iPhone4 to Mikrotik wpa2-eap - connection never completes
Replies: 3
Views: 1932

iPhone4 to Mikrotik wpa2-eap - connection never completes

Hi all, I have configured a Mikrotik routerboard to have a wireless network that attempts to authenticate using EAP-TLS with a client certificate only, passed through to a radius server which verifies everything. So far, the radius server seems to be working correctly, and the user is accepted, but ...
by minfrin
Sat Jun 19, 2010 4:32 pm
Forum: General
Topic: After reboot, /ip dns changes revert to old settings
Replies: 1
Views: 633

After reboot, /ip dns changes revert to old settings

Hi all, I have a strange problem with /ip dns. I need to update the name of the DNS server server in routerboard, and so use /ip dns to change the settings. I can view the new settings, and the routerboard's DNS now works, so far so good. I then reboot the routerboard, and the old dns settings have ...
by minfrin
Sat Jun 19, 2010 4:28 pm
Forum: General
Topic: Routeros v4 upgrade via ssh (ie without winbox)
Replies: 2
Views: 1358

Routeros v4 upgrade via ssh (ie without winbox)

Hi all, I have some routerboards that are embedded within a site, and getting an internet connected windows laptop running winbox up onto the sloped roof of a set of buildings so we can click on "upgrade key" is going to be a health and safety issue for us. Does a method exist to get our license key...
by minfrin
Sun Apr 11, 2010 10:47 pm
Forum: General
Topic: Cannot communicate securely with peer: no common encryption
Replies: 2
Views: 2523

Re: Cannot communicate securely with peer: no common encrypt

The clock was wrong (ntp problems, which I'm battling with separately), but the clock wasn't related in this particular case. I managed to restore the hotspot by deleting the certificate from the routerboard, reimporting it, then setting the "ssl-certificate" parameter within the hotspot-profile bac...
by minfrin
Sun Apr 11, 2010 10:07 pm
Forum: General
Topic: Cannot communicate securely with peer: no common encryption
Replies: 2
Views: 2523

Cannot communicate securely with peer: no common encryption

Hi all, I have a 433 routerboard / routeros v3.30 that a while ago had been successfully been configured as a wireless hotspot, complete with an SSL certificate. This worked fine. Having just tried to connect to the hotspot after some time not using the hotspot, I suddenly receive the following erro...
by minfrin
Sun May 17, 2009 3:05 pm
Forum: Wireless Networking
Topic: Detail howto requested: separating traffic from a virtual AP
Replies: 2
Views: 742

Re: Detail howto requested: separating traffic from a virtual AP

Linux is set up to handle VLAN tags, yes (the interface eth3.2 means "VLAN 2" on "interface 3"). Tcpdump is showing the tagged packets correctly, but ping didn't work.
by minfrin
Sun May 17, 2009 4:15 am
Forum: Beginner Basics
Topic: Setting the initial IP address - how?
Replies: 4
Views: 936

Re: Setting the initial IP address - how?

This directly contradicts the advice given on the Miktrotik wiki here: http://wiki.mikrotik.com/wiki/Initial_MAC_Winbox_Connection Would it be possible to take this wiki page down, as it no longer seems accurate? I had no luck with a serial cable either, what eventually worked was to hard reset the ...
by minfrin
Sun May 17, 2009 2:50 am
Forum: General
Topic: IPsec secured L2TP tunnels - how?
Replies: 0
Views: 542

IPsec secured L2TP tunnels - how?

Hi all, According to the manual, underneath /ip ipsec peer, it is possible to have L2TP tunnels secured using ipsec: generate-policy (yes | no; default: no) - allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. This way it is possi...
by minfrin
Wed May 13, 2009 1:21 am
Forum: Beginner Basics
Topic: Setting the initial IP address - how?
Replies: 4
Views: 936

Re: Setting the initial IP address - how?

Some brief success with Darwine, the most recent development version (1.1.20) won't work, you need to use the latest stable version (1.0.1) for winbox to start. The success is short lived - winbox cannot find the routerboard, with one exception - if an attempt is made to leave the search window open...
by minfrin
Wed May 13, 2009 12:35 am
Forum: Beginner Basics
Topic: Setting the initial IP address - how?
Replies: 4
Views: 936

Setting the initial IP address - how?

Hi all, I have a brand new routerboard, and I need to set its initial address. I tried to Google for details of what the default IP address might be, and came back with hits to say there isn't one (???). I found the page below, describing how I might run winbox.exe through the Darwine emulator for M...
by minfrin
Sun May 10, 2009 2:15 pm
Forum: General
Topic: ip dhcp-server: no such IP network on selected interface
Replies: 4
Views: 4266

Re: ip dhcp-server: no such IP network on selected interface

One thing I see: vlan-public and wlan-g-public have the same localnets. I would recommend changing one of them. That is probably the reason the wlan-g-public network assignment is messed up. It should look like this: 2 172.16.250.3/23 172.16.250.0 172.16.251.255 wlan-g-public but vlan-public has th...
by minfrin
Sun May 10, 2009 2:21 am
Forum: General
Topic: When an "invalid" flag appears, how do I find the reason?
Replies: 5
Views: 948

Re: When an "invalid" flag appears, how do I find the reason?

What I am really trying to do is try set up a hotspot, it is not clear from the documentation whether you need to configure a dhcp server to be used by a hotspot, or whether the hotspot does this on its own. The attempt to create a hotspot using the hotspot setup wizard also results in a hotspot tha...
by minfrin
Sun May 10, 2009 1:05 am
Forum: General
Topic: ip dhcp-server: no such IP network on selected interface
Replies: 4
Views: 4266

Re: ip dhcp-server: no such IP network on selected interface

I continue on regardless, and I try to enter nothing as a DHCP relay, as I don't want to use a DHCP relay: dhcp relay: invalid value for argument relay Ok, so it wants a dhcp relay. So I try the default value: dhcp relay: 172.16.252.3 Select pool of ip addresses given out by DHCP server addresses to...
by minfrin
Sun May 10, 2009 1:00 am
Forum: General
Topic: ip dhcp-server: no such IP network on selected interface
Replies: 4
Views: 4266

ip dhcp-server: no such IP network on selected interface

Hi all, While using the setup tool in an attempt to configure dhcp, I am getting an error message that I do not understand. First off, my ip addresses look like this: # ADDRESS NETWORK BROADCAST INTERFACE 0 172.16.252.3/24 172.16.252.0 172.16.252.255 wlan-a-backbone 1 172.16.250.2/23 172.16.250.0 17...
by minfrin
Sun May 10, 2009 12:48 am
Forum: General
Topic: When an "invalid" flag appears, how do I find the reason?
Replies: 5
Views: 948

Re: When an "invalid" flag appears, how do I find the reason?

Yes:

3 172.16.250.3/23 172.16.250.3 172.16.250.3 wlan-g-public

It doesn't answer why no reason is given for the error. Is there is way to get some kind of human readable error message out of this?
by minfrin
Sun May 10, 2009 12:13 am
Forum: General
Topic: When an "invalid" flag appears, how do I find the reason?
Replies: 5
Views: 948

When an "invalid" flag appears, how do I find the reason?

Hi all, After making an attempt to add a dhcp-server on a wifi interface, as below, the dhcp-server is flagged as "invalid": Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 I server1 ether3 dhcp-eth3 3d yes 1 I dhcp-public wlan-g-public public-pool 1h yes Is...
by minfrin
Sat May 09, 2009 6:57 pm
Forum: Wireless Networking
Topic: Detail howto requested: separating traffic from a virtual AP
Replies: 2
Views: 742

Detail howto requested: separating traffic from a virtual AP

Hi all, Does anyone have a detailed howto to solve the following problem: I have an access point, with a virtual AP configured inside it for public use. The main AP is protected WPA2, and works fine. The virtual AP is configured as an open system, and also works fine. What I am struggling to achieve...
by minfrin
Sat May 09, 2009 2:56 am
Forum: Wireless Networking
Topic: Public wifi, VLAN tagged, then connected to a Linux machine
Replies: 0
Views: 942

Public wifi, VLAN tagged, then connected to a Linux machine

Hi all, I have a simple mikrotik wifi access point, which is plugged directly into a Linux router. I want to have two wireless LANs, one a private WLAN, which works fine, bridged to ether1, and a second public WLAN, bridged to VLAN-2, in turn attached to ether1. The first private WLAN works fine, th...