Community discussions

Search found 186 matches

by dog
Tue Jan 19, 2016 12:15 am
Forum: General
Topic: Packet Mark no longer retained after decrypting IPSec in v6?
Replies: 3
Views: 623

Re: Packet Mark no longer retained after decrypting IPSec in v6?

So, while I can no longer get the packet marking to work like in v5 there now seems to be a native replacement: /ip firewall filter> add ipsec-policy= IpsecPolicy ::= Direction,Policy Direction ::= in | out Policy ::= ipsec | none Setting it to "in,ipsec" will only match packets that were decrypted ...
by dog
Thu Jan 07, 2016 11:43 am
Forum: General
Topic: Packet Mark no longer retained after decrypting IPSec in v6?
Replies: 3
Views: 623

Packet Mark no longer retained after decrypting IPSec in v6?

Hi, I've had a RB450 running RouterOS 5.26 which I now had to replace with a newer model. On v5 I had a mangle rule like this: add action=mark-packet chain=prerouting dst-address-type=local dst-port=4500 log-prefix=MARK new-packet-mark=ipsec-input passthrough=no protocol=udp I could then use that to...
by dog
Sat May 16, 2015 3:05 am
Forum: RouterOS v6 RC and v7 BETA
Topic: NPTv6 / RFC 6296 Support?
Replies: 19
Views: 3398

Re: NPTv6 / RFC 6296 Support?

You lost my attention at "ssl vpns are better". Lol. Really? Yep, for the very simple fact that SSL/TLS is a proven protocol with widespread use and pretty good understanding of the basic workings in the security community. IPSec on the other hand * has much too many switches left to the admin to d...
by dog
Sat May 16, 2015 1:35 am
Forum: RouterOS v6 RC and v7 BETA
Topic: NPTv6 / RFC 6296 Support?
Replies: 19
Views: 3398

Re: NPTv6 / RFC 6296 Support?

It's breaking the end to end connectivity rule. There is no "end to end rule". "End to End" is a theoretical design maxim, much like the OSI model. NPTv6 would only be a problem for applications that violate the OSI layer model in regards of separation of concerns - those applications we need "fire...
by dog
Fri May 15, 2015 11:51 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: NPTv6 / RFC 6296 Support?
Replies: 19
Views: 3398

Re: NPTv6 / RFC 6296 Support?

Given the fact that IPv6 allows header stacking, maybe a new header similar to the dreaded source routing will come into use It's already there, and just as horrible as one would think – unless they got rid of it in the recent years: http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf AFAIK there...
by dog
Fri May 15, 2015 6:24 am
Forum: RouterBOARD hardware
Topic: S+31DLC10D and HP 5130-24G-4SFP+ EI Switch
Replies: 2
Views: 482

Re: S+31DLC10D and HP 5130-24G-4SFP+ EI Switch

If you plan to use the S+31DLC10D in the HP switch:
In general HP does vendor code checking on SFPs, so only "HP-branded" models will work.
That switch however seems to be originally from 3com, where it may be different.
by dog
Fri May 15, 2015 6:00 am
Forum: RouterOS v6 RC and v7 BETA
Topic: NPTv6 / RFC 6296 Support?
Replies: 19
Views: 3398

Re: NPTv6 / RFC 6296 Support?

NPTv6 is not "NAT" as you are implying that would mean "stateful Adress/Port Translation". NPTv6 does nothing of that sort, it simply does stateless prefix translation. Also, unlike NATv4 which more or less just "happened" with all kinds of implementation incompatibilities, NPTv6 is very clearly spe...
by dog
Wed May 13, 2015 4:41 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: NPTv6 / RFC 6296 Support?
Replies: 19
Views: 3398

Re: NPTv6 / RFC 6296 Support?

Any news on this?
Linux kernel 3.13 already seems to have native support for NPTv6.
by dog
Sat Apr 04, 2015 8:26 pm
Forum: General
Topic: PPTP server on alternative routing table fails when client is not reachable via main routing table
Replies: 0
Views: 258

PPTP server on alternative routing table fails when client is not reachable via main routing table

Hi, * Have a PPTP server running on 6.27 * Some sessions that come in via a certain interface also need to go back out through that interface * Works fine with mangle/routing marks. * However if the main routing table (which is not used here) does not know the destination, ROS will drop the response...
by dog
Sat Mar 29, 2014 6:27 am
Forum: General
Topic: No idea how this is event possible
Replies: 14
Views: 2134

Re: No idea how this is event possible

The RB2011 is "rated" at about 700Mbit/s: http://routerboard.com/RB2011UiAS-IN (the value in the lower right corner is closest to real-world) so it is unlikely that you will get 1 Gbit out of it anyway. Please post a configuration export. To test for a bottleneck first clear the router configuration...
by dog
Fri Mar 28, 2014 12:20 pm
Forum: General
Topic: No idea how this is event possible
Replies: 14
Views: 2134

Re: No idea how this is event possible

What Routerboard do you have?
Most likely you are simply maxing out the CPU.
by dog
Tue Mar 11, 2014 10:59 am
Forum: General
Topic: PBR - Ensure traffic leaves the same interface it arrives on
Replies: 10
Views: 2868

Re: PBR - Ensure traffic leaves the same interface it arrive

Well, take a look again at what I said:
Create a second rule that applies a new routing mark to packets marked with the connection mark and coming from the DMZ.
Right now you are switching inbound traffic to a routing table that no longer has the destination it is supposed to reach.
by dog
Mon Mar 10, 2014 6:32 pm
Forum: General
Topic: how to block open proxy in mikrotik
Replies: 1
Views: 783

Re: how to block open proxy in mikrotik

I assume you are referring to sites like HideMyAss?

The simple answer is: Using a blacklist approach you will never be able to block a significant number of those sites, there are just too many.
Thus if you really need to block it, you will have to go switch to a whitelist setup.
by dog
Mon Mar 10, 2014 6:21 pm
Forum: General
Topic: PBR - Ensure traffic leaves the same interface it arrives on
Replies: 10
Views: 2868

Re: PBR - Ensure traffic leaves the same interface it arrive

This should be quite easy using two mangle rules. Create a first rule that marks connections coming from the VPN tunnel and not having a mark already. Create a second rule that applies a new routing mark to packets marked with the connection mark and coming from the DMZ. Add a new routing table with...
by dog
Mon Mar 10, 2014 5:31 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 14089

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

Basically the problem is that wireless clients do not create an interface on MT (except for WDS) so you can't put them in a VLAN. The workaround would be to use a Virtual AP and create two WLANs for eduroam guests and local users and bridge them to different VLANs. Then you would have to configure f...
by dog
Mon Feb 24, 2014 1:19 pm
Forum: Wireless Networking
Topic: 802.11u, Hotspot 2.0?
Replies: 3
Views: 1402

802.11u, Hotspot 2.0?

So while reading the CAPs Manager article I saw the first official mention of 802.11u and Hotspot 2.0 from Mikrotik. Does this mean we will get support for those features soon? Will it be limited to CAP or available in all configurations? I'm especially interested in the server-side-only EAP-TLS par...
by dog
Sun Dec 22, 2013 4:58 pm
Forum: General
Topic: 100's of devices with similar mac & hostnames depleting ip's
Replies: 13
Views: 5219

Re: 100's of devices with similar mac & hostnames depleting

There is not much you can do in a hotspot scenario (with known users you can always lock down on MACs) * Increase DHCP pool -> Attack will take longer and fill up more memory * Decrease lease time (In a public hotspot I'd say you can go as low as 1h) * "DHCP Greylisting": Use the authoritative after...
by dog
Sun Dec 22, 2013 4:34 am
Forum: Wireless Networking
Topic: Mikrotik vs Ubiquiti Unifi
Replies: 23
Views: 16085

Re: Mikrotik vs Ubiquiti Unifi

Not currently. Mikrotik is working on a controller feature, but it isn't out yet.
Is there actually any official statement from MT on this? ("Yeah, we will consider thinking about doing it in the future" doesn't count)
by dog
Sun Dec 22, 2013 4:10 am
Forum: General
Topic: 100's of devices with similar mac & hostnames depleting ip's
Replies: 13
Views: 5219

Re: 100's of devices with similar mac & hostnames depleting

DHCP Exhaustion Attack is a pretty old type of DoS.
As with all kinds of DoS some people do that just for fun (which I assume is meant by "joke" here).
by dog
Mon May 27, 2013 4:33 am
Forum: Beginner Basics
Topic: Route
Replies: 2
Views: 596

Re: Route

by dog
Mon May 27, 2013 4:30 am
Forum: Beginner Basics
Topic: RB493G + 3 radio
Replies: 8
Views: 1299

Re: RB493G + 3 radio

There is a huge difference between

* One radio with 3x3 MIMO
* Three radios with whatever

You can stick 3 radios in a RB493G, but you can't do 3x3 MIMO with it as those cards are all miniPCI-e and the RB493G only supports miniPCI cards.
by dog
Tue Apr 23, 2013 2:53 pm
Forum: RouterBOARD hardware
Topic: Dualband AP with Mikrotik - what hardware?
Replies: 5
Views: 1336

Re: Dualband AP with Mikrotik - what hardware?

By the way, how many clients can be connected to a single RB751? - I am just wondering, if I can spread the devices out a little to cover a greater area ... Vendors usually don't make statements about that...I've taken as a general rule for better APs: 20-25 active users, 50 users max. with most of...
by dog
Wed Jan 30, 2013 8:47 pm
Forum: Wireless Networking
Topic: what is the "best" signal?
Replies: 15
Views: 6457

Re: what is the "best" signal?

I set a higher antenna gain than there really is.
by dog
Wed Jan 30, 2013 6:58 pm
Forum: Beginner Basics
Topic: What free VPN client to use with my PPTP server on Mikrotik?
Replies: 4
Views: 1486

Re: What free VPN client to use with my PPTP server on Mikro

Do those clients even support PPTP?
Nope, Checkpoint, Cisco and ShrewSoft (the last one) are all IPSec-Clients.

AFAIK There is no Third-Party PPTP Client for Windows.
by dog
Wed Jan 30, 2013 6:49 pm
Forum: Wireless Networking
Topic: what is the "best" signal?
Replies: 15
Views: 6457

Re: what is the "best" signal?

SNR < 23 too low
SNR 30-40 target range
SNR > 50 too strong

That's my general rule of thumb.
by dog
Wed Jan 23, 2013 5:28 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: NPTv6 / RFC 6296 Support?
Replies: 19
Views: 3398

NPTv6 / RFC 6296 Support?

So as it stands now most bigger ISPs have decided to still give out dynamic prefixes with IPv6.
That again makes the case for NAT.

NPTv6 provides a simple stateless NAT that only translates one prefix to another.
Any chance we are going to see at least sect. 2.1 of the RFC in a future ROS?
by dog
Sun Jan 13, 2013 11:37 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: OVPN on new versoins ROS 6.0 and 5.1...
Replies: 61
Views: 18269

Re: OVPN on new versoins ROS 6.0 and 5.1...

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time. Stubbornness. OpenVPN/UDP is the by far most requested feature on the forums and in the wiki and MT rather chos...
by dog
Sun Jan 13, 2013 11:16 pm
Forum: General
Topic: Is anyone using RouterOS as an ISP DSL aggregator box?
Replies: 7
Views: 929

Re: Is anyone using RouterOS as an ISP DSL aggregator box?

Such reseller setups are often PPPoE over L2TP and AFAIR MikroTik still has problems with that.
by dog
Sun Jan 13, 2013 11:01 pm
Forum: Forwarding Protocols
Topic: Stop redirect ICMP
Replies: 3
Views: 1209

Re: Stop redirect ICMP

Yes, this is a routing loop.

On router A (where your pppoe ac is?) you have to create a static route with destination your whole pppoe subnet and type unreachable.
by dog
Sun Dec 16, 2012 11:22 pm
Forum: General
Topic: Testing my ISP for burst throttling
Replies: 4
Views: 1039

Re: Testing my ISP for burst throttling

Actually it is an ISP problem. Youtube is hugely popular which for an ISP means they would have to upgrade their peering with youtube. However many ISPs came up with the idea that charging twice for the same thing is better than charging once so they try to blackmail Youtube by saying "Either you pa...
by dog
Sun Dec 16, 2012 11:12 pm
Forum: General
Topic: Clearing Owner/Info Pair Table
Replies: 10
Views: 1299

Re: Clearing Owner/Info Pair Table

Mikrotiks IP pools works like DHCP in that it tries to always reassign the same address whereas home users have come to expect from their ISP to get a new address every time they log in. This has been discussed on the forums and MT refuses to change it. Your best choice would be to use a RADIUS serv...
by dog
Sun Nov 11, 2012 10:09 pm
Forum: RouterBOARD hardware
Topic: Mikrotik RB951-2N-Level 4
Replies: 1
Views: 804

Re: Mikrotik RB951-2N-Level 4

My internet bandwidth is ~80mbps, but the traffic I receive during the flood is 500mbps+ No router can help you with that. Only your ISP can block the IPs, but once the traffic reaches your router your connection is already full. Also the RB951 is a home user device that will probably not handle th...
by dog
Sat Nov 10, 2012 3:03 am
Forum: RouterBOARD hardware
Topic: CLOUD CORE ROUTER
Replies: 1374
Views: 996313

Re: CLOUD CORE ROUTER

AFAIK, Tile-Gx 8000 series has only 16-, 36-, 64- and 100-core versions :)
9, 16, 36:
http://www.tilera.com/sites/default/fil ... 036-02.pdf
64 Core is a different family:
http://www.tilera.com/sites/default/fil ... r_A_v4.pdf
by dog
Sat Oct 27, 2012 2:49 am
Forum: RouterBOARD hardware
Topic: NEW PRODUCT - Cloud Core Router
Replies: 104
Views: 31844

Re: NEW PRODUCT - Cloud Core Router

Of course it is not "stable", whatever you mean by that. No company would just put a finished product on the self and tease users :) Usually when the price is released that means that the product is 1-3 months away (ie. initial production run, last bug fixes,...) So right now I'd say there is a 30-4...
by dog
Thu Oct 25, 2012 5:45 pm
Forum: Wireless Networking
Topic: 300 vehicles in one place
Replies: 5
Views: 1033

Re: 300 vehicles in one place

Never put more than 25 clients on a single AP (true for any vendor with standard 802.11) The client chooses which AP it uses. In ROS you can only limit the maximum amout of clients that can connect (if that is reached a client might try another AP). In general your best bet is to reduce the AP TX po...
by dog
Wed Oct 24, 2012 8:55 pm
Forum: Forwarding Protocols
Topic: RB751G-2Hnd igmp-proxy ?
Replies: 2
Views: 3781

Re: RB751G-2Hnd igmp-proxy ?

IGMP Proxy is a separate package.

Download the ZIP(!) file from http://www.mikrotik.com/download and extract it.
Take the igmpproxy.npk and drop it on the Winbox window.
Reboot the router and the package will be available under System > Packages
by dog
Tue Oct 09, 2012 10:45 pm
Forum: General
Topic: vlans/trunk between juniper switch and mikrotik
Replies: 10
Views: 2060

Re: vlans/trunk between juniper switch and mikrotik

Show your Mikrotiks configuration.

ros code

/export compact hide-sensitive
by dog
Mon Oct 08, 2012 2:33 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request: MLPPP server
Replies: 30
Views: 6345

Re: Feature request: MLPPP server

Has been a request for years:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

(Also take a look at OpenVPN/UDP on that page to see how much Mikrotik cares about user requests)
by dog
Sat Oct 06, 2012 12:44 am
Forum: General
Topic: blocking Mac Address by vendors
Replies: 2
Views: 714

Re: blocking Mac Address by vendors

No, this can't be done.
Neither on MT, nor any other vendor because there is no MAC-ID for "iPhone" or "Android".
Only Apple, Samsung, ASUS, etc.

Apart from that you can use Bridge Filters to block MAC-ID ranges.
by dog
Fri Oct 05, 2012 11:25 pm
Forum: General
Topic: Newsletter 41: NEW PRODUCTS!
Replies: 64
Views: 24544

Re: Newsletter 41: NEW PRODUCTS!

microUSB cables have ugly big connector (the square plastic around connector tip), you can't plug it without having that hole.
So why not on CCR?
278_hi_res.png
278_hi_res.png
Also what about:
Does RouterOS support DDMI from SFPS?
by dog
Thu Oct 04, 2012 9:06 pm
Forum: RouterBOARD hardware
Topic: Boosting RB751U-2HnD Antennas!
Replies: 91
Views: 67694

Re: Boosting RB751U-2HnD Antennas!

Image
That's the device I'd like to see from MT!, but with 3x3 MIMO or Dual 2,4/5 Ghz operation and ports on one side so it can be wall mounted with the cables going up.
by dog
Thu Oct 04, 2012 8:42 pm
Forum: RouterBOARD hardware
Topic: So, ah, Cloud Core Router CCR1036 Shipping Date? Please...
Replies: 115
Views: 24597

Re: So, ah, Cloud Core Router CCR1036 Shipping Date? Please.

And now i see that CCR not for me, its just another office switch\router
Riiiiiiiight....so what would you call a RB750 then? 9600 Baud Modem?
by dog
Thu Oct 04, 2012 3:22 am
Forum: RouterBOARD hardware
Topic: 802.11ac
Replies: 4
Views: 1599

Re: 802.11ac

Q1 2013 is possible?
I don't think there's any chance for that.
MT will mostly be busy with CCR and ROS6 during Q4 12 / Q1 13.
I would rather count on somewhere like Q4 13.
by dog
Mon Oct 01, 2012 4:29 am
Forum: General
Topic: Newsletter 41: NEW PRODUCTS!
Replies: 64
Views: 24544

Re: Newsletter 41: NEW PRODUCTS!

I do not understand why MikroTik forgives a large market Probably because the xDSL market is controled by the ITU and shared only among a few companies (Broadcom, Siemens, ...) But this annoys me each day. It's basically impossible to buy a regular DSL modem nowadays that does not have some buggy r...
by dog
Wed Sep 12, 2012 4:29 pm
Forum: General
Topic: hairpin nat not working
Replies: 24
Views: 3624

Re: hairpin nat not working

One configuration for hairpin NAT with static IP is:
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT disabled=no
add action=dst-nat chain=dstnat comment="SSH" disabled=no dst-address=5.x.x.x dst-port=22 protocol=tcp to-addresses=192.168.x.x to-ports=22
by dog
Wed Sep 12, 2012 12:47 pm
Forum: Beginner Basics
Topic: New to Mikrotik. Have questions, and seeking suggestions!
Replies: 1
Views: 363

Re: New to Mikrotik. Have questions, and seeking suggestions

What do you mean by high end firewall?
The ROS firewall is based on netfilter like all Linux systems.
This is a highly customizable but difficult firewall.

However it is not an ALG or UTM system.
by dog
Tue Sep 11, 2012 2:23 am
Forum: RouterBOARD hardware
Topic: NEW PRODUCT - Cloud Core Router
Replies: 104
Views: 31844

Re: NEW PRODUCT - Cloud Core Router

Btw does Mikrotik Support HA such as Clustering? Clustering in the sense of configuration synchronization....No, that is another long standing feature request. Any update regarding the expected "end of september" availability of the CCR? They never said a year. Always remember the RB2011 series :ro...
by dog
Mon Sep 10, 2012 11:12 pm
Forum: RouterBOARD hardware
Topic: RB750 CPU Usage Problems
Replies: 25
Views: 10636

Re: RB750 CPU Usage Problems

Nope, mine has ST NAND512W3A2CN6

A friend of mine says the problem disappears as soon as he has Queues affecting the traffic and starts again when he removes them.

My observation is that it only happens on RB750s that also had the bad caps problem.
by dog
Mon Sep 10, 2012 7:24 pm
Forum: General
Topic: Using a Mikrotik, can't visit this one website
Replies: 3
Views: 629

Re: Using a Mikrotik, can't visit this one website

Works for me.
Try lowering your MTU setting.
by dog
Mon Sep 10, 2012 7:19 pm
Forum: General
Topic: hairpin nat not working
Replies: 24
Views: 3624

Re: hairpin nat not working

The configuration depends on whether your public IP is static or dynamic.