MikroTik

carl0s

of course, the slash is escaping the dot so that it doesn't mean what a dot usually means in a regular expression (any char, any number of preceeding chars, whatever it is).
Makes sense now.

carl0s

I bought a book specifically about regular expressions. I found it rather too difficult to absorb by about page 5!

carl0s

Better use these two for philipcarroll.local and *.(*.(*.(...))).philipcarroll.local:

^philipcarroll\.local$
\.philipcarroll\.local$

That's a good point. With Active Directory there are many hierarchies in the DNS.. I missed that with my *.phillipcarroll.local

carl0s

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox. Omitting the slashes will make it match with other characters as well. E.g. philipcarrollBlocalWhateveryoulike would match. Better use t...

carl0s

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox. Why does the Wiki say: It is also possible to forward specific DNS requests to a different server using FWD type. This will fordward all...

carl0s

I got it to work :) I have no idea what the regexp stuff is about in the Wiki, but that would not work for me. a simple *.domain.local was enough then another one for the domain itself. I needed to fix the routers outbound traffic over the IPSec link (pref-source on a routing table entry). There's n...

carl0s

Although, it could be the IPSec tunnel. The router itself has no routing table to it, and there's no src-address= for the DNS FWD record. hmm.

carl0s

it doesn't bloody work at all!

That is exactly like the wiki example!

carl0s

I just connect to the device via default wifi. Open winbox. Select system Reset-configuration Skip backup Caps-mode I will try that way when I return to fit the second AP in the next week. Usually the first thing I would do is upgrade the firmware. Maybe that's where I'm going wrong. I don't know w...

carl0s

It seems like I did need to count to 11 instead. I was getting very frustrated. It was midnight and I already said I was leaving to come home 1 hour earlier. But.. Both the '11 second' reset (yes, I know, it's just my bad timing of seconds), and the QuickSet 'caps' mode did not work. It looks like t...

carl0s

So frustrating

the 10 second reset doesn't put it into cap mode.

choosing CAP from the QuickSet doesn't either, although it does leave the wifi not active and still eth1 firewalled so you have to go and physically reset.

6.47.8

carl0s

How about hackRF with sweep mode and gr-fosphor ? It's a while since I did it, but even my old Thinkpad X1 Carbon with 5th-gen Intel-core could do the 'realtime spectrum analyzer' style stuff thanks to the basic OpenCL in the GPU of this old laptop. I had been hoping to put an LimeSDR or XTRX into a...

carl0s

OH.MY.GOD.

carl0s

In 2 weeks, the SIP and RDP honeypot has captured 1336 addresses. I think it would be nice to have some tool or script that runs through the list and consolidates anything that can be consolidated into a CIDR notation, to make the list smaller. Any ideas ? I have a similar SIP & RDP honeypot set...

carl0s

Other is you need to connect using start->settings->VPN->the VPN you want to connect and click on connect there

Yes I agree it is this. Common Windows 10 problem. Usually after connecting once this long-winded way, you can connect again via the network connections popup in the corner.

carl0s

Anybody see this before? I have a ~5200 entries in address lists (sip and rdp honeypots), and I don't check CPU usage very often, but I don't think these large lists have been a problem before. Also, I just disabled the firewall rule that utilised those address lists, and it made no difference. http...

carl0s

please allow 'failed authentication' -> 'add to address list' it could cover SSTP, PPTP, Winbox, Telnet, etc. We could choose what to do with the address lists, the expiry, whether to put them to a stage-2 address list or something. But please it's an important missing feature from all of the Mikrot...

carl0s

well no, they work just fine for many many years...
I'm up to my third now in the past few months :-/

All from the same batch though, maybe I got unlucky.
Or something burns it...

I guess... maybe. I'm using the supplied PSU with the wapAc though.

carl0s

well no, they work just fine for many many years...

I'm up to my third now in the past few months :-/

All from the same batch though, maybe I got unlucky.

carl0s

I have about 35 wapAc boxes at Coffee shops.

I seem to be getting frequent failures of the RBGPOE poe injectors now that they have been in service for a year or more.

Anybody else getting similar?

carl0s

anyone?

carl0s

Hi. Using Capsman. I've noticed this before, but just wanted to ask.. when the internet is being used, and the Tx for the WiFi (virtual i/f from capsman v2) is showing 10Mbps to a laptop, and the PPPoE Internet on eth1-gateway is Rx for the same connection @10Mbps, then why does the bridge, which co...

carl0s

I'm sorry, I just noticed in the release notes for 6.44.1 there is a fix!

carl0s

Hi. I have set up email with a FROM: inside winbox. I have tried both an email address, and <an email address>, and have enabled debugging. I have set it to alert me of Account actions, so that I get a notification if somebody logs in. This seems like a good idea! but always, routeros is sending MAI...

carl0s

Does this have anything to do with the weird DNS problem I had on a wapAC during this period? It would not resolve a .net domain name, but would resolve a .co.uk that is on the same public DNS servers (ns.123-reg.co.uk) I had to put a static entry into the DNS on the routerboard, because the hostnam...

carl0s

Like I said, did anyone reported these problems to support? Only now, with this thread to you. Hopefully you can put it on the agenda 😊 Write to support, specify what configuration you had on the router when you created backup (preferably generate supout file) then restore backup and generate anoth...

carl0s

Regardless of whatever the official stance is from Mikrotik, some sort of useful backup/restore which doesn't require a plain-text config export, and/or have vital pieces missing, would be a very useful feature to help in disaster recovery. Instead, it seems like the best option is to keep a pre-con...

carl0s

No? Still No, Mikrotik??

FFS it would be able 3 lines of code for your developers

carl0s

Like I said, did anyone reported these problems to support?

Only now, with this thread to you. Hopefully you can put it on the agenda

carl0s

Another important check is:

check if you have static entrien on IP/DNS/Static

i found DNS A Record and CNAME to fake mikrotik download site

maybe for download an altered version of routeros

That's a really interesting one. I hadn't thought to check that!

carl0s

Just check in System -> Schedule. There will be a schedule to run a script every minute that continues to allow the hackers in. Remove the script from System -> scripts too. SOCKS proxy has probably been enabled. turn that off. check there are no new users added under System -> users change the pass...

carl0s

Define "same type of device"? Backup was never intended to work between different HW models. You can restore backup reliably only on exactly the same HW model. I've used the word 'identical' a few times here. I even ensured the routerOS was the same version too. Identical model hardware -...

carl0s

But when old HW is broken, fired or drowned in water problem is more complicated. Exactly. I starting taking backups of my customer's Mikrotik boxes some time ago. I was also hit with the RB450G capacitor failures ~5 or 7 years ago.. but.. these backups are basically useless aren't they. If the res...

carl0s

Define "same type of device"? Backup was never intended to work between different HW models. You can restore backup reliably only on exactly the same HW model. wAPac to wAPac. They look the same to me but who knows what goes on inside! I guess the backup has the interface configs tied to ...

carl0s

this is turning into a really bad day for me now :( I restore the config - from same type of device running same firmware. It has hotspot enabled. when the new device boots, wlan is down, and ethernet I guess is blocking everything. I know it has an IP from my other router, but I can't get into it. ...

carl0s

I have lots of hotspots to set up on wAPac Why does backup/restore never work :( They are both on the same version, I have even put an 'accept all' at the top of the configuration before doing the backup. I guess it's because interfaces don't match up, but that's really bad :( last time I had to do ...

carl0s

Actually this would put the mikrotik in the middleman role. It has to be considered as unsafe. I understand that some people do not care about it, but I rather build my own management network instead of rely on services that I cannot control and that can do whatever I do not know what above what th...

carl0s

Received the EdgeRouter ER-X today. It's a tidy little box :-) the O/S looks nice. Quite a lot less power than Mikrotik / Winbox. However, there's the added flexibility of a full Linux bash shell! I have resisted 'the other side' even though everywhere I see a point-to-point wan (wireless ISP in the...

carl0s

Yes, some low end chinese phones have such issues. I suggest for now to use better phones, since we can't solve this issue quickly. These phones are known to have issues. We have checked this issue, and there is incompatibility with these chips and the RouterOS driver. We can't easily solve it, it ...

carl0s

I have had this problem a lot too. It seems like the communication doesn't happen. Never used to happen, but happened to me frequently in the past year when setting them up. You can see "Managed by capsman", but you will see no channel selected or any configuration settings retrieved. I th...

carl0s

Really? Isn't it just a fancy sounding putting of cloud word everywhere? Nothing against, just asking what is it above a vpn? Yeah I don't get this either. SDR I get - software defined radio. And it makes sense too. Very powerful and useful. Sofware Defined WAN ? Well of course, it's always softwar...

carl0s

I have an ER-X. The GUI is definitely more "whiz bangy" and you use the web gui (or cli of course), not something like Winbox. MikroTik seems to do a lot more for your money software wise, but hey, if it doesn't support something that this one does, get it. It's a nice little machine. It'...

carl0s

The above is an Intel 8260 card in my Thinkpad x1. My phone (Lg G5) was Ok. I altered some driver settings on my laptop (enabled U-APSD support, and enabled Throughput Booster, which were both disabled before), and now everything is back to normal. The thing is though, i'm not sure if they have real...

carl0s

Any ideas what's going on here? When I did my surveying and testing yesterday everything was great. Now today, no matter what I do, selecting channels, bandwidths manually (including superchannel for testing), I can not get tx rate above 54mbps. So my maximum bandwidth from internet is ~24mbps :( tx...

carl0s

It does do hw crypto offload for ~400mbps IPsec, and DNS conditional forwarders. That's all I need. They do udo openvpn but it's slow (25mbps) and I've never actually used openvpn anyway so that's not of interest to me. I just need IPsec and conditional DNS forwarder for the remote active-directory ...

carl0s

It looks like this will do what I need (with a simple dnsmasq cli option). I think it'll do openvpn UDP if you want too. It looks like an rb750gr3 with a different operating system. That hardware has AES acceleration. Not sure if this non-mikrotik o/s supports it yet though. https://www.eurodk.com/e...

carl0s

You probably know this thread . With its 10th anniversary drawing near, it would be nice present from MikroTik, if they finally implemented it. Otherwise I'll probably start losing hope. And no, you can't make your own packages. There are some tools to unpack .npk files, but not to create them. The...

carl0s

Mikrotik: can I build my own package and install that on RouterOS? I need conditional DNS forwarders.

carl0s

You also need to exclude the IPSec subnets from the masquerade natting rule. there's a few articles about that. in my instance here, I have just set !192.168.88.0.24 in the destination address of my standard internet-masquerade src-nat rule. The preferred way though is to add an entry into the Firew...

carl0s

Thank you carl0s, I see, so I don't have to worry if I don't see a route to that network in the routing table. I have one more thing that I can try to fix the issue. At the moments my ping to the dst-net time out. If you are pinging from the Mikrotik itself, make sure you set src-address so that it...

carl0s

With the Mikrotik, IPSec does not create a virtual interface (many people requested it, but have to use IP in IP, L2TP, PPTP, etc instead), and you don't need to add any routes.

The packets head for the default route, but the IPSec policy matches the source/dst subnets, and does what it needs to do.

carl0s

I'm completely bemused why there's no support (after many requests) for this: You enter a domain name in the DNS configuration, and then enter the ip address(es) of DNS servers to forward the requests for that domain to. The Mikrotik can cache it. What's the problem? Surely this could be coded in an...

carl0s

I am experimenting with throttling the UK side, where we have 100mbps Internet and where the SMB server is located. I am trying to throttle it back to the ~5mbps that the far end can usually receive. i.e. packet pacing. What I am seeing is that Server 2016 is barely unusable, Server 2008 is OK but s...

carl0s

Hi. We have 220ms R.T.T. between Malaysia and England. Any tips for VPN passing SMB? We're using pure IPSec (no l2tp or other tunnel). It's working, but on SMB in particular, it seems to transfer, then stall, then pick up again, then stall. Never getting more than ~3mbps out of a 10mbps line (in Mal...

carl0s

actually, now it is all working..

but I don't think I have changed anything

carl0s

weird.. yes it works from the Mikrotik itself! [admin@MikroTik] > /tool traceroute 192.168.1.1 src-address=192.168 # ADDRESS LOSS SENT LAST AVG BE 1 100% 10 timeout 2 192.168.1.1 0% 9 255.4ms 244.4 215

carl0s

If you run traceroute from router itself, make sure you specify correct source-address. Otherwise in most cases trace is not matched by policy and sent via WAN interface with public src-address Thank you yes I was just going to say, the policy will only match LAN. It's strange that this has been wo...

carl0s

Thanks I will look further. The trace route is from the Mikrotik itself though. Does this make a difference?

carl0s

For additional clarification.. We have: Malaysia: [LAN] 192.168.88.0/24 Malaysia [WAN] 1.2.3.4/29, gateway 1.2.3.1 (provided by building manager) UK [LAN] 192.168.1.0/24 UK [WAN] x.x.x.x.x (our own subnet) if I try to ping 192.168.1.x from the Malaysia LAN, nothing works.. does not go through. Mikro...

carl0s

Hi. Strange one. i sent a Hexgr3 over to Malaysia and we have a nicely working IKEv2 IPSec vpn between there and here in the UK. Over the weekend, it looks like the Internet provider (actually the business centre) in Malaysia, has added a class-C 192.168.1.0/24 network onto the upstream router that ...

carl0s

I think I see the same problem...

I thought it was a bridge problem, but disabling that fasttrack rule makes it start working again.

I've been here ages.. arrgh.

carl0s

from 6.39 changelog: *) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes; So yes, CHR will have increased AES performance if v6.39 is installed, but this only works with IPSec, not SSTP. It would be super cool if you guys would work on rebuilding the SSTP stuff to use the hardware c...

carl0s

Hi. I know the Omnitik 5 (poe) AC has only a single radio - QCA9892 I read somewhere that this chip can do simultaneous 5GHz and 2.4GHz. Is this supported in the Omnitik 5 AC ? I am looking for a good AP for the middle of a building. This looks to have better antenna gain than the hAP AC, and same s...

carl0s

Yes I did wonder the same. The hardware does encryption and usually with VPN types you can specify the encryption type, so long as we find one that is common between SSTP and what the hardware offers.. Anyway, yes, the Future... lots of things take a long time around here don't they :-) It's just th...

carl0s

Hi. The new affordable routers with 'IPSec hardware encryption acceleration' (RB750Gr3).

.. can the hardware acceleration work for SSTP as well? or only IPSec?

carl0s

What does 'distance' actually change anyway?
ACK

Thanks.

carl0s

Oh look, the 5GHz has almost the same weird setting! it says 255Km!!

I think the firmware upgrade has done this ?

What does 'distance' actually change anyway?

Screenshot from 2016-11-24 22-52-48.png

carl0s

OK I found the problem, but I don't know how it happened.

'distance' was set to 250Km.

I changed it to indoors, and all is well.

Any idea how this would change? chrome auto-fill cockup while using webmin? a bug during upgrade to -rc ?

carl0s

Hi. I seem to be having terrible trouble with 20MHz 802.11 "only N" from my hAP AC. It's like there is extreme interference, but I am using a HackRF to look at the spectrum, and I don't think there is any interference, although I am quite new to it so some of the peaks I am seeing may inde...

carl0s

I have tried mAP2n-lite now as well. This is dual-chain or whatever (300mbps on 802.11n).
It also finally supports proper PoE.
It's also tiny.

I have some issues with compatibility but I think I need to experiement with channel setup. I'm using CAPsMANv2.

carl0s

The new hAP AC doesn't support 802.3af? Are you sure?

I know Mikrotik only usually works with passive PoE, but I have the new mAP2n-lite, and this does indeed support proper 802.3af PoE, so I was thinking this might finally be the norm for Mikrotik? About time if so.

carl0s

Thanks for the info.

2 chain means it will do 300mbps 802.11n ?

I may wait for HAP AC. I know the "lite" is available now, as an International version or something, but I can wait longer.

carl0s

I managed to get the Broadcom a/b/g to connect at 40MHz as well now, and it works good.

Here are the settings (in the attached image) - I had already changed the first one, but didn't see the second option until later.

broadcom 40MHz.png

carl0s

actually, my other laptop with Intel wifi, does connect at 40Mhz, 135mbps, and is a lot better.
but the Broadcom in my Dell XPS 13 2015 doesn't.

carl0s

I love CAPsMAN, but I wish it was clearer that the map2n is only single chain 2.4ghz, and won't give more than 44mbps throughput (65mbps link). I'm not mistaken am I? It doesn't work with "40mhz" (is this the same as 20mhz with an extension channel? which would require another chain.. or a...

carl0s

Hi.

USB Huawei E392 from EE/Orange in the UK.

RouterOS 6.1 on rb751 series.

Is detected as a USB device, but there is no USB serial ports showing up.

Any way to make this work? Have tried reboots, power down, etc.

Thanks,
Carl

carl0s

could you try to unplug the usb device, shutdown the routerboard and remove the power. Then plug the usb device back and only then plug the power back to the board. Then check again. WOW!!!! I downgrade ruter back to 5.23 and today I make upgrade to 5.24... In first it did not work as usual, but, t...

carl0s

I had the same problem on an RB2011 today. I put a 5 port switch in between, but this isn't ideal for various reasons.

carl0s

For an update: This has nothing to do with the Mikrotik. After returned to previous equipment / broadband, the problem remains. Its an ITSP or PBX problem.

carl0s

pref. source is still ignored on static routes!! This has been going on for years, and Mikrotik staff never respond. Workaround might be src-nat, but why?? It's not good enough. I have a pppoe interface which receives a dynamic WAN IP. My ISP gives me a subnet (/29) which is routed through this dyna...

carl0s

Have you turned off the SIP alg? (ip -> firewall -> service ports). You should.

carl0s

Hi. I'm not sure if this problem is caused by the BT connection, or what. It's a new BT DSL line (16mb down, 1.1mb up), and to use this line I decided to try an RB450G with a Draytek Vigor 120 PPPoE modem. I started with a single WAN IP, and performing NAT. I tried with and without SIP helper, and I...

carl0s

Same question! I need src_mac and dst_mac. Any ideas? I see these fields: Template (Id = 256, Count = 16) Template Id: 256 Field Count: 16 Field (1/16) Type: LAST_SWITCHED (21) Length: 4 Field (2/16) Type: FIRST_SWITCHED (22) Length: 4 Field (3/16) Type: PKTS (2) Length: 4 Field (4/16) Type: BYTES (...

carl0s

I agree. It's a pain.
I will need to find a half-bridge, or 1:1 NAT capable router in order to use a routerBOARD for a customer I have in mind.
+1 for xDSL interface modules, or integrated routers.

carl0s

Same problem on two green capacitors of RB450G bought about a year ago from Lin-ITX.

Search found 85 matches