Community discussions

Search found 1726 matches

by Feklar
Fri Dec 15, 2017 12:33 am
Forum: General
Topic: Bug reporting howto ?
Replies: 3
Views: 959

Re: Bug reporting howto ?

email support@mikrotik.com, helpful if you include a supout of the router so they can see what is going on.
by Feklar
Wed Nov 22, 2017 5:52 pm
Forum: General
Topic: Open SNMP and Syslog ports
Replies: 11
Views: 1435

Re: Open SNMP and Syslog ports

If you can do a walk off of the same server, and SpiceWorks is able to pull data, then OpManager and Solarwinds should work just the same. I would check your firewall address list to make sure those servers didn't fire the auto block rules that you have in place.
by Feklar
Tue Nov 21, 2017 7:51 pm
Forum: General
Topic: Open SNMP and Syslog ports
Replies: 11
Views: 1435

Re: Open SNMP and Syslog ports

Check your SNMP community settings. You just have the trap settings listed, by default the community is set to public I believe. Do you see the firewall rule that you have for SNMP increment?
by Feklar
Fri Nov 17, 2017 9:20 pm
Forum: General
Topic: Open SNMP and Syslog ports
Replies: 11
Views: 1435

Re: Open SNMP and Syslog ports

What version of SMNP are you trying to use in your server? Try setting it to 2c if you are trying to use v1 or v3. If you are trying to use v3, you need to set the appropriate keys and passwords in the MikroTik.

An export of '/ip firewall' would be more effective in seeing your ruleset.
by Feklar
Thu Nov 16, 2017 9:43 pm
Forum: General
Topic: Open SNMP and Syslog ports
Replies: 11
Views: 1435

Re: Open SNMP and Syslog ports

You haven't really provided your current configuration for someone to be able to help, people cannot read your mind and do not know what you have tried or what is currently set. If you provide those details, we can try and help point you in the right direction. So you have SNMP enabled, I'm assuming...
by Feklar
Tue Nov 14, 2017 5:47 pm
Forum: General
Topic: Buying Advice
Replies: 5
Views: 611

Re: Buying Advice

Netflows would give you the clearest picture of what local IP is pushing that much data, as well as protocol, port, and destination. It is known as Traffic Flow in MikroTik. The MikroTik can export the flows, and you would need a collector. I've used NFSen, but can be a bit of a pain to setup, there...
by Feklar
Tue Nov 14, 2017 5:08 pm
Forum: General
Topic: Mikrotik Custom Login Page Configuration
Replies: 6
Views: 3511

Re: Mikrotik Custom Login Page Configuration

Your redirect.html needs to point to your new login page, whatever you named it, by default it points to login.html, you can download those pages onto your computer and see what they are with a word editor.

If you edit them, then just upload and copy over the default one.
by Feklar
Sat Nov 04, 2017 5:46 pm
Forum: General
Topic: All My Clients Computers Show Ip Conflict
Replies: 2
Views: 326

Re: All My Clients Computers Show Ip Conflict

Check to see if you have proxy-arp enabled on the client facing interface would be the first set with your description. Past that we would need to know how your router and network are setup to help much more.
by Feklar
Sat Nov 04, 2017 5:41 pm
Forum: Beginner Basics
Topic: Gateway failover - Single interface
Replies: 2
Views: 390

Re: Gateway failover - Single interface

There are a few ways to go about this, one way with your current setup that should be fast is to try and use routing rules. "/ip route rule" There specify the dst-address of the service you want to ping over a given gateway and set the action to "lookup-only-in-table". This assumes that you have a r...
by Feklar
Fri Nov 03, 2017 7:33 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7680

Re: Help me stop MAC spoofing

ok why dont you provide us with a better solutions then? Check earlier in the thread where layer2 isolation on the wireless access is talked about, along with VLANs and port isolation on switches. There is also enabling WPA2 encryption on wireless assuming that you are in a situation that you can g...
by Feklar
Thu Nov 02, 2017 10:28 pm
Forum: Beginner Basics
Topic: Few simple questions about custom chains in RouterOS
Replies: 3
Views: 617

Re: Few simple questions about custom chains in RouterOS

Did some quick googling, you were actually correct, it's default action is to return to the parent chain.

The firewall in RouterOS is IPChains under the hood, so if you understand how IPChains work, you just need to understand the syntax differences.
by Feklar
Thu Nov 02, 2017 9:34 pm
Forum: Beginner Basics
Topic: Few simple questions about custom chains in RouterOS
Replies: 3
Views: 617

Re: Few simple questions about custom chains in RouterOS

1.) Unless you tell it to return to the chain from which it jumped from or have a catch all rule, it will fall through to a default accept. 2.) Yes you can nest chains if so desired, but you don't want to make things too complex, it can hurt router throughput, or just make things a pain to work on i...
by Feklar
Thu Nov 02, 2017 9:08 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7680

Re: Help me stop MAC spoofing

One can still do ARP requests as that is a layer2 function, and need not involve the IP addresses, also if someone just sniffs for wireless traffic they can still grab MAC addresses out of the air. So your solutions will only slow down someone that has a basic knowledge of what is going on, not real...
by Feklar
Thu Nov 02, 2017 8:48 pm
Forum: General
Topic: Firawall and NAT counter
Replies: 4
Views: 458

Re: Firawall and NAT counter

NAT rules counters only fire on a new connection. Once a new connection is established it's part of the connection table and it doesn't need to lookup the NAT rule anymore. If that's all you have in your firewall filter table, that means each packet needs to be processed individually against those r...
by Feklar
Fri Oct 27, 2017 7:51 pm
Forum: Forwarding Protocols
Topic: Block MAC Address's Attacker [SOLVED]
Replies: 14
Views: 1354

Re: Block MAC Address's Attacker [SOLVED]

Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection requ...
by Feklar
Fri Oct 27, 2017 6:58 pm
Forum: General
Topic: Best method to load balance 8 Wan for a domitory
Replies: 3
Views: 507

Re: Best method to load balance 8 Wan for a domitory

Chances are it's too random, you have the PCC classifier set to both-addresses-and-ports. Try setting it to both-addresses to keep multiple connections to the same IP from the same host on the same link, or try moving it to src-address so that a given host will always use one WAN. This will help wit...
by Feklar
Fri Oct 13, 2017 11:09 pm
Forum: Beginner Basics
Topic: Access router inside LAN via WAN with NAT?
Replies: 7
Views: 1776

Re: Access router inside LAN via WAN with NAT?

Your forward chain is kinda OK. There is no default drop all, so basically it's permitting everything to be forwarded. That is not very secure, it would be better to lock it down, but that is outside the scope of your question. Your last NAT rule that is doing the forwarding needs to be different: a...
by Feklar
Fri Oct 13, 2017 7:47 pm
Forum: Beginner Basics
Topic: how to two subnet to communicate?
Replies: 10
Views: 1248

Re: how to two subnet to communicate?

Chances are it's the built in windows firewall preventing it.
by Feklar
Fri Oct 13, 2017 6:27 pm
Forum: Beginner Basics
Topic: Unrecognized Ethernet Interface
Replies: 2
Views: 408

Re: Unrecognized Ethernet Interface

You need to contact support support@mikrotik.com and they may be able to add in support for the specific device. If you have another Ethernet adaptor card lying around you might be able to use that as well. The other option, and probably faster/easier, would be to use the cloud hosted router instead...
by Feklar
Fri Oct 13, 2017 6:12 pm
Forum: Beginner Basics
Topic: how to two subnet to communicate?
Replies: 10
Views: 1248

Re: how to two subnet to communicate?

So in reality you have 3 routers, not just two. Do you want the two routers to communicate to each other over the main one? Depending on the type of VPN you are using, L2TP, PPTP, EoIP, etc. the virtual interface should have an IP address assigned to it, an address and network IP if you look at your...
by Feklar
Fri Oct 13, 2017 1:13 am
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7680

Re: Help me stop MAC spoofing

You are going to need to spend time implementing layer 2 isolation on your network. Basically this is not something that can be done or controlled at the core of your network, you need to do it at the edge of the network, the point that client devices connect. How you do that is up to you and depend...
by Feklar
Fri Oct 13, 2017 12:55 am
Forum: Beginner Basics
Topic: how to two subnet to communicate?
Replies: 10
Views: 1248

Re: how to two subnet to communicate?

Are the two subnets attached to the same router? If not, how are the two routers connected? Directly or over some VPN? You will need to install the necessary routes with next hop addresses in each router as well, and how you do that depends on your answers.
by Feklar
Fri Oct 13, 2017 12:46 am
Forum: Beginner Basics
Topic: Access router inside LAN via WAN with NAT?
Replies: 7
Views: 1776

Re: Access router inside LAN via WAN with NAT?

The firewall is already accepting all entry from port 81 and 80 - if it's working for my remote management of the main router, it should for the other one no problem. And yes, i added the specific port but it didn't help. Still won't let me, no idea what i'm missing. Input or forward chain for the ...
by Feklar
Thu Oct 12, 2017 5:35 pm
Forum: Beginner Basics
Topic: Access router inside LAN via WAN with NAT?
Replies: 7
Views: 1776

Re: Access router inside LAN via WAN with NAT?

1.) Have to change the to-port to the appropriate service, port 80 for http, 443 for https.
2.) Does your firewall filter allow connections from the outside world into the network? If not create the appropriate rule, be as specific with the rule as you can be for security reasons.
by Feklar
Tue Oct 03, 2017 5:58 pm
Forum: General
Topic: I can`t change message Welcome freeradius
Replies: 4
Views: 698

Re: I can`t change message Welcome freeradius

Once again, this is probably what you are looking for, specifically using the variables available to the hotspot servlet to display the information that you want based on the user variables:
https://wiki.mikrotik.com/wiki/Manual:C ... #Variables
by Feklar
Fri Sep 29, 2017 9:33 pm
Forum: General
Topic: I can`t change message Welcome freeradius
Replies: 4
Views: 698

Re: I can`t change message Welcome freeradius

That doesn't look like a supported attribute within the MikroTik.
https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client

This is probably closer to what you are looking for assuming that you are using the and wanting to display a custom message.
https://wiki.mikrotik.com/wiki/Manual:C ... ng_Hotspot
by Feklar
Fri Sep 29, 2017 7:41 pm
Forum: General
Topic: Trying to understand BTEST and why I get different reading
Replies: 1
Views: 465

Re: Trying to understand BTEST and why I get different reading

BTest is very resource intensive for a router to run and is limited to only one core, so it is generally not recommended that you run it on the device you are testing. Instead you should run it to a route in front of and behind the device you want to test.
by Feklar
Thu Sep 28, 2017 11:49 pm
Forum: General
Topic: force firewall in wan load balance to use specific wan [SOLVED]
Replies: 4
Views: 693

Re: force firewall in wan load balance to use specific wan [SOLVED]

Start with this, and work out from there: /ip firewall mangle add action=mark-connection chain=input comment="Reply to connections on Interfaces Traffic came in on." in-interface=ether1 new-connection-mark=input1_connection passthrough=no add action=mark-connection chain=input in-interface=ether2 ne...
by Feklar
Thu Sep 28, 2017 12:17 am
Forum: General
Topic: force firewall in wan load balance to use specific wan [SOLVED]
Replies: 4
Views: 693

Re: force firewall in wan load balance to use specific wan [SOLVED]

Use the output chain in the mangle rules.
by Feklar
Fri Sep 08, 2017 5:31 pm
Forum: General
Topic: Item added, Item removed
Replies: 4
Views: 1382

Re: Item added, Item removed

Since the time matches up with the DHCP server, chances are it's removing the dynamic IP and once a new one is received it's adding a dynamic IP. If you are getting duplicate messages in the logs, that probably means your logging setup is set to log either system or info messages separately or do an...
by Feklar
Fri Sep 08, 2017 5:23 pm
Forum: Wireless Networking
Topic: Problem setting up html directory override
Replies: 3
Views: 981

Re: Problem setting up html directory override

Have you added the domain/IP to the walled garden in the hotspot? That needs to be setup as well for the redirect to work.
by Feklar
Fri Sep 08, 2017 5:19 pm
Forum: Wireless Networking
Topic: Hotspot relogin annoying
Replies: 5
Views: 720

Re: Hotspot relogin annoying

Also you can use the mac-cookie and cookie login options. Set the value for how long you want the login session to be valid for, I.E. 1 Day.
by Feklar
Wed May 17, 2017 12:06 am
Forum: General
Topic: RB3011 Exclusive user and password login
Replies: 1
Views: 495

Re: RB3011 Exclusive user and password login

You need not use User Manager, that's just Mikrotik's RADIUS server along with a few other things. RADIUS is nice if you want a central location to provide AAA services. However you can get by with local accounts if so desired for any service, be it PPPoE or Hotspot.
by Feklar
Fri Mar 17, 2017 7:08 pm
Forum: General
Topic: Can I have an HotSpot without login ?
Replies: 3
Views: 999

Re: Can I have an HotSpot without login ?

You can also embed a username and password in hidden fields and when they hit the submit button for the form those credentials are sent.
by Feklar
Fri Mar 17, 2017 5:36 pm
Forum: General
Topic: Two hotspot servers on one router.
Replies: 5
Views: 756

Re: Two hotspot servers on one router.

Same device or different devices for this test? I see in the first post that you mention that your are using a Radius Server to send a framed IP pool, is this correct? Or is there an Address pool set in the user profile locally? You can try using split user domains to isolate the Radius profiles fro...
by Feklar
Thu Mar 16, 2017 11:25 pm
Forum: General
Topic: Two hotspot servers on one router.
Replies: 5
Views: 756

Re: Two hotspot servers on one router.

Change the address pool in the hotspot server to the what you want, or set it to none. If you specify the address pool, the hotspot arp-poisons the network which may be desirable if you have a lot of clients with misconfigured IP settings, but can cause some problems. This setting is how it knows wh...
by Feklar
Thu Feb 16, 2017 10:47 pm
Forum: Beginner Basics
Topic: Hotspot
Replies: 1
Views: 356

Re: Hotspot

You need to put the AP into bridged mode vs routed mode if you want to see clients behind the device.
by Feklar
Wed Feb 15, 2017 5:13 pm
Forum: General
Topic: I want the real mac
Replies: 3
Views: 579

Re: I want the real mac

Sounds like you are routing with the MikroTik instead of bridging if you do not see the layer 2 information from a connected client. To switch to bridging create a bridge and then assign the wireless interface and Ethernet interface to it. You will want to disable any DHCP servers that you have conf...
by Feklar
Wed Jan 25, 2017 11:57 pm
Forum: General
Topic: Hotspot 2000 users 500Mbps throughput
Replies: 2
Views: 626

Re: Hotspot 2000 users 500Mbps throughput

If I remember this presentation correctly, an 1100AH was configured to handle a couple thousand hotspot users at a time. 6+ years ago, I cannot remember everything that was in it. http://mum.mikrotik.com/presentations/US10/FelixWindt.pdf A lot of things have changed since 2010, but many of the optim...
by Feklar
Fri Dec 09, 2016 5:04 pm
Forum: General
Topic: Multiple Hotspot per interface
Replies: 1
Views: 458

Re: Multiple Hotspot per interface

One hotspot per logical interface. So you can use VLANs to get multiple hotspots on one physical interface for example. I'm not sure if you can run a hotspot service over an EoIP tunnel, but you could try that.
by Feklar
Fri Dec 09, 2016 4:40 pm
Forum: Beginner Basics
Topic: New User needs some setting up help
Replies: 3
Views: 535

Re: New User needs some setting up help

The reason for two bridges is because a MikroTik is first and foremost a router. Each interface on it is treated as a independent routed interface. By making a bridge you can tie two or more interfaces together to make a layer2 interface across them. So two SSID's = 2 layer2 network segments, meanin...
by Feklar
Thu Dec 08, 2016 8:07 pm
Forum: Beginner Basics
Topic: port mirroring
Replies: 3
Views: 4008

Re: port mirroring

750 has a switch chip, so you can setup a port mirror.
http://wiki.mikrotik.com/wiki/Manual:Sw ... _Mirroring
by Feklar
Thu Dec 08, 2016 6:30 pm
Forum: Beginner Basics
Topic: New User needs some setting up help
Replies: 3
Views: 535

Re: New User needs some setting up help

Based on what you are asking, I'm guessing you want to do multiple SSIDs on the outdoor unit, one for staff and one for visitors. Lets first look at the outdoor unit. 1.) First thing to do is to create the two VLANs that are desired tied to the physical interface that will be the uplink to the main ...
by Feklar
Thu Dec 08, 2016 6:14 pm
Forum: Beginner Basics
Topic: Still having difficulty
Replies: 1
Views: 334

Re: Still having difficulty

For number one, you can use the Torch tool to see things in real time, but that doesn't give you historical data. If you want historical data, you will want to use netflows/traffic-flow. You need to setup a 3rd party server to collect the information and analyze it. This is more on a time delay depe...
by Feklar
Tue Dec 06, 2016 9:23 pm
Forum: General
Topic: A wireless router for 50 concurrent users
Replies: 16
Views: 2920

Re: A wireless router for 50 concurrent users

The red light is normal when it is pushing power out of the Ethernet port. As for the different bands, it is easiest to just have one SSID for both and let the client device make the decision as to what band to connect to. If it supports both 2.4 and 5Ghz most devices will decide to connect to 5Ghz ...
by Feklar
Fri Dec 02, 2016 12:22 am
Forum: General
Topic: Monitor Ubiquiti Unifi
Replies: 7
Views: 1181

Re: Monitor Ubiquiti Unifi

Depends on what SNMP server you want to use. It also depends on what OIDs the UniFi access point supports and lets you monitor. Just because it responds to SNMP/ping doesn't mean that it's "working", it is usually a good assumption, but not always. There have been times where one of my access points...
by Feklar
Fri Dec 02, 2016 12:08 am
Forum: General
Topic: HOTSPOT asking login multiple times
Replies: 8
Views: 2294

Re: HOTSPOT asking login multiple times

Most of the time when this issue comes up is if the client losses the DHCP lease for some reason. Do all access points share the same SSID, or are they different? Are all of your VLANs bridged together? If it's not the same SSID across the board, then the client device sees it as a different network...
by Feklar
Tue Nov 29, 2016 11:17 pm
Forum: General
Topic: navigation reports
Replies: 1
Views: 372

Re: navigation reports

You are looking for a proxy, and a way to make sure all of the employee's use said proxy to access the internet. You can then log all requests that reach the proxy. Depending on your needs, the built in proxy may be enough, but more than likely you will want a dedicated one like Squid. As to how to ...
by Feklar
Tue Nov 29, 2016 5:30 pm
Forum: General
Topic: SIP Firewall Rules
Replies: 6
Views: 2448

Re: SIP Firewall Rules

Hi, Did you know how to made a layer 7 ? Now, I want to control LINE app via layer 7. Check the manual that was linked, it has a link to a website that has several L7 Filters that you can try and use: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7 http://l7-filter.sourceforge.net/protocols Pas...
by Feklar
Fri Oct 28, 2016 6:43 pm
Forum: General
Topic: Guidance with replacing an Adtran router with a CCR please
Replies: 1
Views: 379

Re: Guidance with replacing an Adtran router with a CCR please

Here are the various firewalls /ip firewall filter -> This is where your basic firewall rules are, the allow and deny (think your ACL) /ip firewall nat -> This is where you define source and dst NAT /ip firewall mangle -> This is where you can modify how the router handles routing and a few other th...
by Feklar
Fri Oct 07, 2016 8:56 pm
Forum: General
Topic: PCC side effect on Mikrotik Forum
Replies: 4
Views: 847

Re: PCC side effect on Mikrotik Forum

Set the PCC selector from "both addresses and ports" to "both addresses". This way communication from and to the same IP address always hashes the same and you don't get broken connections.
by Feklar
Tue Sep 06, 2016 11:16 pm
Forum: General
Topic: VLAN with Mikrotik and Unifi
Replies: 6
Views: 2742

Re: VLAN with Mikrotik and Unifi

Just got back into the office after a network install, were you able to get it to work?

The way you describe it should work, but I would need to see part of your configuration export if it's not to help much more.
by Feklar
Tue Aug 30, 2016 3:59 pm
Forum: General
Topic: compare 2 strings with numbers
Replies: 6
Views: 2636

Re: compare 2 strings with numbers

Then you will need to do the first option, and :tonum will work as long as you can break out the period between the numbers. To do that you will need to do some logic on the string to get what you want. http://wiki.mikrotik.com/wiki/Manual:Scripting#Commands First step will be getting the length of ...
by Feklar
Mon Aug 29, 2016 6:51 pm
Forum: General
Topic: Block Quic Protocol
Replies: 6
Views: 1601

Re: Block Quic Protocol

The problem is, it's not a protocol in the sense of layer 4, it is a layer7 protocol, something that a router is generally not aware of since they are primarily a layer3 device. https://en.wikipedia.org/wiki/OSI_model#Description_of_OSI_layers Now the MikroTik does have some layer7 filtering functio...
by Feklar
Mon Aug 29, 2016 6:36 pm
Forum: General
Topic: compare 2 strings with numbers
Replies: 6
Views: 2636

Re: compare 2 strings with numbers

http://wiki.mikrotik.com/wiki/Manual:Scripting#Data_types When you try run a boolean operator on a string such as "<", it is not comparing the value of a string, but some other attribute of that string, that's because strings do not have a concept of a number. Now you can convert a string to a numbe...
by Feklar
Mon Aug 29, 2016 6:14 pm
Forum: General
Topic: VLAN with Mikrotik and Unifi
Replies: 6
Views: 2742

Re: VLAN with Mikrotik and Unifi

Only if you wanted to. My suggestion was based on a new setup, and being directly connected to the MikroTik. If you already have an admin network with access to other devices on a LAN, you need not change the Admin wireless. Instead just create the VLAN interface for the visitor wi-fi on the MikroTi...
by Feklar
Mon Aug 29, 2016 6:03 pm
Forum: General
Topic: 6.36.2 / 6.39 is BUGGED!
Replies: 3
Views: 1018

Re: 6.36.2 is BUGGED!

Not a bug, configuration issue. Change Log of 6.35: *) l2tp - implemented l2tp and lns fastpath/fasttrack support; See this response here: http://forum.mikrotik.com/viewtopic.php?f=21&t=111450#p554483 "Note that not all packets in a connection can be fasttracked, so it is likely to see some packets ...
by Feklar
Fri Aug 19, 2016 6:58 pm
Forum: General
Topic: VLAN with Mikrotik and Unifi
Replies: 6
Views: 2742

Re: VLAN with Mikrotik and Unifi

Create the two VLAN interfaces on the MikroTik for the interface that the UniFi AP is plugged into. Assign the IP addresses, DHCP servers, etc. to the VLAN interfaces. Create a firewall that blocks/allows the desired traffic on the MikroTik that reference the VLANs. In the UniFi controller assign th...
by Feklar
Fri Aug 19, 2016 6:50 pm
Forum: General
Topic: DHCP issue, users getting IP outside set range
Replies: 7
Views: 2021

Re: DHCP issue, users getting IP outside set range

You can also use the alerts portion of the DHCP-Server and the built in script to send you an email, though the client seems to work a bit better. As far as the other subnets, there are a couple of possibilities that come to mind. 1.) If the end user picked up a lease from a bad DHCP server the leas...
by Feklar
Thu Aug 18, 2016 7:44 pm
Forum: General
Topic: DHCP issue, users getting IP outside set range
Replies: 7
Views: 2021

Re: DHCP issue, users getting IP outside set range

Check to see if there is another DHCP server on the network. The quickest way to do this is to create a DHCP client on the interface (with add default route set to no). If it gets a response from something, then you need to investigate the layer2 network and figure out where the other server is.
by Feklar
Mon Aug 08, 2016 9:09 pm
Forum: General
Topic: Two hotspot on same vlan
Replies: 1
Views: 364

Re: Two hotspot on same vlan

Same VLAN means same layer2 segment, so no, they are a shared collision domain and you WILL run into issues with DHCP servers at the very least. Also each hotspot by default will ARP poison the network causing even further issues over layer2. What are you trying to accomplish with two CCRs? Any CCR ...
by Feklar
Mon Aug 01, 2016 8:22 pm
Forum: General
Topic: HTTPS Redirect on Hostspot
Replies: 2
Views: 572

Re: HTTPS Redirect on Hostspot

Chances are it's not something "special" they are doing as much as it is relying on the newer operating systems/mobile devices ability to detect that there is a login page and that people need to sign into the network. Try using an older OS, and I bet you will run into the same problem. The limiting...
by Feklar
Thu Jul 28, 2016 12:22 am
Forum: General
Topic: FILTER/NAT RULES FOR IPSEC VPN
Replies: 16
Views: 4252

Re: FILTER/NAT RULES FOR IPSEC VPN

You'll need to provide information for both/all router configs. It's also easier to see things with the export command than the print command.
by Feklar
Wed Jul 27, 2016 6:56 pm
Forum: Beginner Basics
Topic: Traffic monitoring - help needed
Replies: 1
Views: 537

Re: Traffic monitoring - help needed

I've used NFSen before. It's Linux based, so if nothing else you should be able to compile it for your pi.
by Feklar
Wed Jul 27, 2016 6:42 pm
Forum: General
Topic: FILTER/NAT RULES FOR IPSEC VPN
Replies: 16
Views: 4252

Re: FILTER/NAT RULES FOR IPSEC VPN

When using pure IPSec, it really doesn't use the routing table how you are thinking. What happens is the IPSec policy grabs the "interesting traffic", encrypts it, and then sends the encapsulated traffic to the SA. DST. from the SA. SRC. This traffic then is considered to be originating from the rou...
by Feklar
Wed Jul 27, 2016 6:32 pm
Forum: General
Topic: Content Filtering vs. Layer7 Filtering
Replies: 1
Views: 1440

Re: Content Filtering vs. Layer7 Filtering

It depends on what you are trying to do really. http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7 http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties Content matches on a per packet level if I remember correctly. So if content is split between 2 packets it will not match. Layer 7 ma...
by Feklar
Tue Jul 26, 2016 8:00 pm
Forum: General
Topic: Set packets marks
Replies: 3
Views: 2620

Re: Set packets marks

One refinement to the rule would be to set the connection state to new, or have it specify connection-mark=no-mark. This way the connection doesn't keep getting marked over and over, but otherwise it should work. You also probably want to mark from the LAN side to WAN side in your situation (hard fo...
by Feklar
Tue Jul 26, 2016 4:31 pm
Forum: General
Topic: Disable keep-alive feature of IPIP tunnel
Replies: 9
Views: 1501

Re: Disable keep-alive feature of IPIP tunnel

Report issues/bugs to support@mikrotik.com. Include a couple of Supout.rif when sending in the report. One with the issue where it puts in the keep alive automatically and one where you specify. You can also include a link to this thread for them to reference.
by Feklar
Mon Jul 25, 2016 10:56 pm
Forum: General
Topic: Disable keep-alive feature of IPIP tunnel
Replies: 9
Views: 1501

Re: Disable keep-alive feature of IPIP tunnel

/interface ipip add !keepalive local-address=10.10.10.5 name=ipip-tunnel1 remote-address=10.10.10.6 /interface ipip print Flags: X - disabled, R - running, D - dynamic # NAME MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS KEEPALIVE DSCP 0 R ipip-tunnel1 auto 1480 10.10.10.5 10.10.10.6 inherit Works fo...
by Feklar
Mon Jul 25, 2016 10:44 pm
Forum: General
Topic: x86 running 6.35.4 won't upgrade
Replies: 5
Views: 788

Re: x86 running 6.35.4 won't upgrade

When you go to /system packages what does it show? I've noticed if you go from a "main package" type install to an "extra packages" type install you sometimes need to go to system packages and tell it to uninstall the combined older version after upgrading. It should reboot and start with the newer ...
by Feklar
Mon Jul 25, 2016 10:33 pm
Forum: General
Topic: Disable keep-alive feature of IPIP tunnel
Replies: 9
Views: 1501

Re: Disable keep-alive feature of IPIP tunnel

Just don't specify the keep alive parameter when creating it, it appears to be disabled by default when you go to create that interface. If it already created, go to it in WinBox and click on the arrow that will remove that part of the config.
by Feklar
Mon Jul 25, 2016 10:29 pm
Forum: General
Topic: Set packets marks
Replies: 3
Views: 2620

Re: Set packets marks

It changes what information is available on the packet when marking it. http://wiki.mikrotik.com/wiki/Manual:Packet_Flow Prerouting is done before Destination NAT, so if the packet is having that header changed you may or may not want to mark there, here you can only mark based on an in interface as...
by Feklar
Wed Jul 20, 2016 11:22 pm
Forum: General
Topic: Separation of traffic sent and received traffic
Replies: 20
Views: 1868

Re: Separation of traffic sent and received traffic

You would need to use a dynamic routing protocol like BGP and own your own IP space that you can advertise to two different providers. You can then use filters to advertise your available IP space differently and try and control how things are routed to you. Otherwise you cannot separate the upload ...
by Feklar
Wed Jul 20, 2016 6:20 pm
Forum: General
Topic: How does an external hotspot login page talk back to mikrotik?
Replies: 15
Views: 4433

Re: How does an external hotspot login page talk back to mikrotik?

The problem with server side hashing you may run into is preserving the information the MikroTik needs to sign in the appropriate user. If the server is doing the hashing, the client doesn't really know anything about it, and therefore the information will need to be submitted by the server on behal...
by Feklar
Wed Jul 20, 2016 6:15 pm
Forum: Scripting
Topic: Batch IP -> MAC address resolving
Replies: 5
Views: 1444

Re: Batch IP -> MAC address resolving

What I wrote was off the top of my head and not really tested. I ran this script through my test router and it produced the desired results: :foreach i in=[/ip firewall address-list find list="static IP"] do={ :local ADDR [/ip firewall address-list get number=$i address] :local MAC [/ip arp get [fin...
by Feklar
Tue Jul 19, 2016 10:57 pm
Forum: General
Topic: How does an external hotspot login page talk back to mikrotik?
Replies: 15
Views: 4433

Re: How does an external hotspot login page talk back to mikrotik?

Not a web dev or coder, but what your steps should in theory work. It's just a matter of development time and testing. Any hashing should probably be done client side, and as long as the client has the appropriate JavaScript, you should be able to hash it anyway that you desire. I believe that Mikro...
by Feklar
Tue Jul 19, 2016 6:52 pm
Forum: General
Topic: Mikrotik Sub-Interfaces for Dot1q Traffic
Replies: 3
Views: 1341

Re: Mikrotik Sub-Interfaces for Dot1q Traffic

Correct, you can add as many sub interfaces as you need to.
by Feklar
Tue Jul 19, 2016 6:32 pm
Forum: General
Topic: Missing first ping with Hotspot
Replies: 6
Views: 726

Re: Missing first ping with Hotspot

Static IP addresses work fine with or without proxy-arp. The reason why the MikroTik does it is for misconfigured clients. Lets say your hotspot network is 192.168.10.0/23, and a user comes in with a static IP address of 10.0.10.25/24 and a default gateway set of 10.0.10.1. With proxy-arp running th...
by Feklar
Tue Jul 19, 2016 6:09 pm
Forum: General
Topic: SSL cert and hotspot
Replies: 1
Views: 618

Re: SSL cert and hotspot

Unfortunately you cannot transparently redirect HTTPS. Every hotspot has this limitation. To do so is in essence a man-in-the-middle attack, and HTTPS has been designed to detect that and throw up a warning when it happens. When a user requests a secure website like https://www.google.com, the brows...
by Feklar
Tue Jul 19, 2016 6:02 pm
Forum: General
Topic: Mikrotik Sub-Interfaces for Dot1q Traffic
Replies: 3
Views: 1341

Re: Mikrotik Sub-Interfaces for Dot1q Traffic

This is the rough equivalent you are looking for. /interface vlan add interface="ether1" vlan-id=100 name=VLAN100 /ip address add interface=VLAN100 address=192.168.100.1/24 It will create a sub interface of VLAN100 on ether1 that you can reference just like any other interface, you can then assign a...
by Feklar
Tue Jul 19, 2016 2:00 am
Forum: General
Topic: How does an external hotspot login page talk back to mikrotik?
Replies: 15
Views: 4433

Re: How does an external hotspot login page talk back to mikrotik?

Encrypting/hashing the passwords are kind of tricky, this wiki post talks about them. http://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction#Authentication You can use HTTP CHAP for doing the login, but then the session isn't encrypted, but there is a hash done on the password. But it does requir...
by Feklar
Tue Jul 19, 2016 1:46 am
Forum: General
Topic: Missing first ping with Hotspot
Replies: 6
Views: 726

Re: Missing first ping with Hotspot

Yes, every other service/mechanism will work like it should, it just disables the ARP poisoning. So what you do loose is someone bringing in a computer, connecting to wireless with a static IP in a different range, and then being able to get online.
by Feklar
Mon Jul 18, 2016 7:46 pm
Forum: General
Topic: Missing first ping with Hotspot
Replies: 6
Views: 726

Re: Missing first ping with Hotspot

When using the hotspot it does strange things to layer2. This is because by default the router ARP poisons the layer2 network to enable it to act as the default gateway for misconfigured clients. But because it does this, it makes it difficult for devices to communicate directly because the ARP tabl...
by Feklar
Mon Jul 18, 2016 7:39 pm
Forum: General
Topic: How does an external hotspot login page talk back to mikrotik?
Replies: 15
Views: 4433

Re: How does an external hotspot login page talk back to mikrotik?

You are correct. The idea is that the user must log into the network and accept a ToS to get online. The router takes in the information posted by the user and checks to see if that combination is correct and will get the attributes for that specific username/password either from the profile or from...
by Feklar
Fri Jul 15, 2016 7:03 pm
Forum: General
Topic: create a new file in known-directory ?
Replies: 2
Views: 652

Re: create a new file in known-directory ?

file print file=hotspot/file.txt
by Feklar
Thu Jul 14, 2016 9:47 pm
Forum: General
Topic: RouterOS as L2TP Client for Meraki Client VPN
Replies: 7
Views: 3058

Re: RouterOS as L2TP Client for Meraki Client VPN

Yes that is what you will need to do. Go to the Wiki and there are examples of setting up IPSec. But basically you just need to understand how IPSec works, the option from the L2TP menu is just basic easy settings. L2TP and IPSec are two separate thing, and should be thought of as such. They can be ...
by Feklar
Wed Jul 13, 2016 11:31 pm
Forum: General
Topic: How does an external hotspot login page talk back to mikrotik?
Replies: 15
Views: 4433

Re: How does an external hotspot login page talk back to mikrotik?

With this form tag and the input fields contained between the tags. <form method="post" action="http://<DNS name of Hotspot>/login" target="_self"> You specify a DNS name of the hotspot along with a local IP address that can be reached by the local user. When they click on the submit button it will ...
by Feklar
Wed Jul 13, 2016 11:13 pm
Forum: Scripting
Topic: Batch IP -> MAC address resolving
Replies: 5
Views: 1444

Re: Batch IP -> MAC address resolving

Something like this should work. You can create a logging action that will save script and info to a file and use that file however you desire. :foreach i in=[/ip firewall address-list find list="static IP"] do={ :local MAC [/ip arp get [/ip arp find address=$i] mac-address] :log info "IP Addr: $i M...
by Feklar
Wed Jul 13, 2016 10:58 pm
Forum: Scripting
Topic: Deleting log file doesnt create after
Replies: 1
Views: 434

Re: Deleting log file doesnt create after

Instead of deleting the log file, try setting the line count to 1 or 0 to clear it out in the logging action, then cycle it up to the desired length. I think that was the recommended way a while ago.
by Feklar
Wed Jul 13, 2016 10:20 pm
Forum: General
Topic: can not view IP cameras from inside network
Replies: 1
Views: 387

Re: can not view IP cameras from inside network

It should just be a simple routing/firewall thing. Does your central router know how to get to 10.10.9.243? Do you have firewall rules that prevent PPPoE interfaces from communicating to each other? Those would be the main things to check. The client should be using their PPPoE interface as their de...
by Feklar
Tue Jul 12, 2016 9:00 pm
Forum: General
Topic: VLAN tagging question
Replies: 7
Views: 691

Re: VLAN tagging question

Just have the VLAN toggled on the SFP interface with any set. This will allow you to see if the traffic is even coming in at all or not, don't narrow it down as what should be coming in will be minimal while testing. The SFP is not part of the switch chip as far as I remember, and as long as ports d...
by Feklar
Tue Jul 12, 2016 8:52 pm
Forum: General
Topic: Cannot find or install printer
Replies: 5
Views: 3652

Re: mikrotik problem with windows and printer

Dear i have configure mikrotik  i make 2 pool address: 192.168.71.20-192.168.71.100 for dhcp                                       192.168.71.101-192.168.71.250 for hotspot and i make these 2 address pool for 1 lan so user can take dhcp ip and when they connect user name and pass i will be on hotsp...
by Feklar
Tue Jul 12, 2016 8:42 pm
Forum: General
Topic: VLAN tagging question
Replies: 7
Views: 691

Re: VLAN tagging question

What's on the other side? Do they have VLAN12 assigned as well? If you run torch on SFP1 with the VLAN tag switched on, does it show the traffic coming in tagged as it should, or leaving as it should? Have you cleared the ARP cache of the other device?
by Feklar
Tue Jul 12, 2016 7:10 pm
Forum: General
Topic: VLAN tagging question
Replies: 7
Views: 691

Re: VLAN tagging question

VLANs in a MikroTik are handled in the same way that Linux handles VLANs. It is considered a virtual interface that can be addresses, and run any service on top of like any other physical interface. So assign the VLAN to the interface, then assign the IP addresses and any other service that you want...
by Feklar
Tue Jul 12, 2016 5:53 pm
Forum: General
Topic: No responce by SNMP
Replies: 2
Views: 329

Re: No responce by SNMP

Your address is set to 0.0.0.0/32, that means it will only respond to SNMP requests from 0.0.0.0 and not every address. Set it to be either 0.0.0.0/0 and set an appropriate firewall and different community, or set it to respond to your specific snmp server.
by Feklar
Mon Jul 11, 2016 5:37 pm
Forum: Beginner Basics
Topic: Reverse Access Point
Replies: 12
Views: 1008

Re: Reverse Access Point

If I'm understanding you correctly, then you need two radio cards in the MikroTik, one to be a station and one to be the AP-Bridge. A virtual wireless interface follows the mode of the parent, so if you set the parent to be a station to pick up a DHCP lease and such, the virtual AP will follow that ...
by Feklar
Mon Jul 11, 2016 5:28 pm
Forum: General
Topic: RouterOS as L2TP Client for Meraki Client VPN
Replies: 7
Views: 3058

Re: RouterOS as L2TP Client for Meraki Client VPN

Chances are you will need to actually go to the IPSec settings themselves and edit them instead of relying on the built in "easy" settings selected by MikroTik. Since it is failing at phase1, you will need to edit the peer settings until you find out why they are not agreeing. Unfortunately the docu...
by Feklar
Mon Jul 11, 2016 5:15 pm
Forum: General
Topic: open port in hotspot wallgarden
Replies: 2
Views: 878

Re: open port in hotspot wallgarden

If you look in the NAT rules that are created for the hotspot, you will see that the router tries to redirect ports TCP 80, 3128, 8080, and 443 to itself on a different port that the hotspot service uses. Then in the filter rules it accepts connections from those ports. So when you try and connect t...
by Feklar
Mon Jul 11, 2016 5:08 pm
Forum: General
Topic: pcc and browser stall
Replies: 9
Views: 1542

Re: pcc and browser stall

Does it do it for every site, or just a few? Try moving to just "both-addresses" if it's just for a few sites that are having problems, you can also remove the dst-port=443 restriction that way.
by Feklar
Thu Jul 07, 2016 5:10 pm
Forum: General
Topic: Need help with IPSec setup....
Replies: 2
Views: 558

Re: Need help with IPSec setup....

1.) Your SA source and local IP address should be the public IP address of the MikroTik, basically the public IP address that is reachable from the Cisco. Otherwise it is trying to use a private IP address to communicate to a public one, that will not work unless NAT is involved, but then you need N...
by Feklar
Wed Jul 06, 2016 5:32 pm
Forum: General
Topic: Basic IPSec question
Replies: 6
Views: 658

Re: Basic IPSec question

There are two basic ways to go about this, I'm not completely sure about the second way I'm going to mention below, since I have never done it. Use another VPN type, such as GRE, IPIP, EoIP, L2TP, etc. One that creates a virtual interface on the router that you can assign IP addresses to, and refere...
by Feklar
Tue Jul 05, 2016 6:25 pm
Forum: General
Topic: Help to drop connection vpn
Replies: 8
Views: 1684

Re: Help to drop connection vpn

A quick google search shows this information about that program specifically, you can use that information to modify your current firewall setup: https://www.bestvpn.com/blog/11635/psiphon-review/ https://www.quora.com/How-does-psiphon-work It appears to use multiple different types of VPN to bypass...
by Feklar
Tue Jul 05, 2016 6:03 pm
Forum: General
Topic: EOIP works only when tunnel-id=0 or firewall disabled
Replies: 4
Views: 1504

Re: EOIP works only when tunnel-id=0 or firewall disabled

Solutions were given there, not specifically, but they are there. I don't know why ID 0 passes through, but the default configuration has a rule order like this for input. If indeed ID 0 passes through the default firewall, then there is a bug that needs to be reported to mikrotik, just not the bug ...
by Feklar
Tue Jul 05, 2016 5:51 pm
Forum: General
Topic: Hotspot dont pass SSL traffic after login
Replies: 2
Views: 380

Re: Hotspot dont pass SSL traffic after login

Provide an export of your current firewall rules "/ip firewall export" this will include all filter rules, NAT rules, and mangle rules. Also please provide "/ip route print", "/ip address export", and "/ip hotspot export". These are the most relevant parts of your configuration in regards to the hot...
by Feklar
Tue Jul 05, 2016 5:46 pm
Forum: General
Topic: Help to drop connection vpn
Replies: 8
Views: 1684

Re: Help to drop connection vpn

Are you wanting to block all VPN's from end users, or just specific programs? Depending on what you want to do will determine the path you want to take. Either one will require leg work and testing on your part to make sure it works as you desire and is not preventing traffic that you want to allow....
by Feklar
Thu Jun 30, 2016 4:46 pm
Forum: General
Topic: IPSEC as a backup link
Replies: 2
Views: 445

Re: IPSEC as a backup link

You will have to use a tunnel protocol and then use IPSec to encrypt the tunnel traffic for it to work properly (GRE, EoIP, L2TP, etc.). Otherwise each MikroTik will see the traffic you have designated to be sent down IPSec and will grab it instead of allowing it to flow normally over the microwave ...
by Feklar
Thu Jun 30, 2016 12:21 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7670

Re: Block Port 25 or not ?

Chances are you have the rules in the wrong order, below one that permits the traffic you are trying to log and filter out.
by Feklar
Thu Jun 30, 2016 12:09 am
Forum: General
Topic: Hotspot slowly browsing
Replies: 2
Views: 328

Re: Hotspot slowly browsing

You are not really giving much information to go on here. Do you have any rate limits applied to a new user on the hotspot (user profile)? That would be the first thing I would look at. After that I would move onto more in depth things, such as CPU load of the router, see if there are any firewall r...
by Feklar
Mon Jun 27, 2016 5:55 pm
Forum: General
Topic: How to pass WAN2 traffic to VPN in Load balancing?
Replies: 8
Views: 1618

Re: How to pass WAN2 traffic to VPN in Load balancing?

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=to_VPN in-interface=WAN2 \ new-routing-mark=VPN_route passthrough=no /ip route add comment="VPN Route" distance=1 dst-address=192.168.1.0/24 gateway=\ 192.168.1.254 routing-mark=VPN_route Couple of issues I see. 1.) Your m...
by Feklar
Wed Jun 22, 2016 3:43 pm
Forum: General
Topic: How to pass WAN2 traffic to VPN in Load balancing?
Replies: 8
Views: 1618

Re: How to pass WAN2 traffic to VPN in Load balancing?

The route added by that check goes into the main routing table, you need to create a similar route in the VPN_route table.
by Feklar
Tue Jun 21, 2016 6:57 pm
Forum: General
Topic: How to pass WAN2 traffic to VPN in Load balancing?
Replies: 8
Views: 1618

Re: How to pass WAN2 traffic to VPN in Load balancing?

Is the route active? What kind of VPN is it? I was assuming that it uses some kind of virtual interface such as L2TP or GRE. If it has a virtual interface you should be able to assign a default route to use it.
by Feklar
Mon Jun 20, 2016 8:15 pm
Forum: General
Topic: Mikrotik. Traffic-flow
Replies: 5
Views: 1182

Re: Mikrotik. Traffic-flow

Specify the interface you want to use in "/ip traffic-flow" then specify where you want to send the traffic-flow information in "/ip traffic-flow target"

http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
by Feklar
Mon Jun 20, 2016 8:12 pm
Forum: General
Topic: Mikrotik Hotspot
Replies: 3
Views: 676

Re: Mikrotik Hotspot

Someone help me out with dhcp lease loss issues. My clients gets disconnected every 5mins Sent from my TECNO-L8 using Tapatalk 1.) It is usually bad form to reply to a thread that is old and doesn't apply to your problem. Start a new thread in that case. 2.) You provide no information about your cu...
by Feklar
Mon Jun 20, 2016 8:04 pm
Forum: General
Topic: How to pass WAN2 traffic to VPN in Load balancing?
Replies: 8
Views: 1618

Re: How to pass WAN2 traffic to VPN in Load balancing?

Something like this assuming you have a default route for your VPN tunnel. You will also need to pay attention to the rule order in your firewall. Make sure the new rules above any load balancing rules, or the specific traffic is excluded from your current rules. /ip firewall mangle: add action=mark...
by Feklar
Mon Jun 20, 2016 7:50 pm
Forum: General
Topic: Microtik behind Microtik (with NAT)
Replies: 2
Views: 364

Re: Microtik behind Microtik (with NAT)

See if the ISP is willing to install a route to your internal network IP range by the IP addressed assigned to your MikroTik. That is really the best way to do it without NAT. If they are not, you can try using a bridge with your MikroTiks WAN and LAN ports, and have "Use IP Firewall" checked on the...
by Feklar
Mon Jun 20, 2016 6:31 pm
Forum: Beginner Basics
Topic: Bypass NAT for a certain user...
Replies: 4
Views: 1130

Re: Bypass NAT for a certain user...

You need to log into the Foritgate, and go to the routing section. Then there you specify the destination address as the LAN subnet for the MikroTik LAN, and the gateway as the WAN IP address of the MiroTik.
by Feklar
Fri Jun 17, 2016 6:41 pm
Forum: Beginner Basics
Topic: Bypass NAT for a certain user...
Replies: 4
Views: 1130

Re: Bypass NAT for a certain user...

In the Firewall NAT rules, create an accept rule in the scr-nat chain for his specific IP and place it above the masquerade rule for the rest of the network. That specific IP will then be exempt from NAT. The Fortigate will need to know how to get back to the private IP subnet however with a route f...
by Feklar
Fri Jun 17, 2016 5:56 pm
Forum: General
Topic: SIP Firewall Rules
Replies: 6
Views: 2448

Re: SIP Firewall Rules

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7 Couple of things to keep in mind. 1.) Layer7 is VERY CPU hungry, use it sparingly and only on specific traffic that you know you want to watch. 2.) Layer7 only sees the first 2KB or 10 packets of a connection, it not meant to watch every packet tha...
by Feklar
Fri Jun 17, 2016 5:50 pm
Forum: General
Topic: NAT Sticky with src-nat
Replies: 5
Views: 1433

Re: NAT Sticky with src-nat

Try using the action "same" and put in the range of IP addresses instead of src-nat.
http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

Should fix the issue you are seeing.
by Feklar
Fri Jun 17, 2016 5:42 pm
Forum: General
Topic: Problem To PBR ( two Gateway )
Replies: 2
Views: 572

Re: Problem To PBR ( two Gateway )

1.) You only have two mangle rules listed there, and you do not list your routing table, hard to tell what is going on without all of the necessary information. 2.) According to your rules you are marking traffic coming INTO the router form the outside and trying to load balance it, that will not wo...
by Feklar
Thu Jun 16, 2016 6:02 pm
Forum: General
Topic: remote shutdown and turn it back on
Replies: 5
Views: 873

Re: remote shutdown and turn it back on

There are several switched PDU's out there that you could probably program to do that for you. It's adding another piece of hardware to the mix, but would accomplish the goal of shutting down the router and anything else attached to it.
by Feklar
Tue Jun 14, 2016 10:57 pm
Forum: General
Topic: Wintraff - Overload on your link
Replies: 13
Views: 1552

Re: Wintraff - Overload on your link

Any solution you come up with will be a kludge really.  The issue is, you need to cut off the undesired traffic as close to the source as possible, be that on your own layer2 network, or on an outside providers network.  Since you cannot control an outside providers network, you need to work within ...
by Feklar
Fri Jun 03, 2016 5:40 pm
Forum: Beginner Basics
Topic: Problem with layer 7 domain block
Replies: 4
Views: 1010

Re: Problem with layer 7 domain block

l7 rules are not meant for blocking webpages, they inspect packets, not URLs. a packet might not even contain the URL You can use transparent proxy + access list to block http websites, or you can use the new domain-address-list in latest RC versions to block any kind of traffic based on domain Tha...
by Feklar
Fri Jun 03, 2016 5:31 pm
Forum: General
Topic: Wintraff - Overload on your link
Replies: 13
Views: 1552

Re: Wintraff - Overload on your link

There is something you can do, I mentioned it several times. Call your provider, let them know about the DOS and have them investigate and cut down/block on the traffic on their network. Yes it's a manual process, but there is no other mechanism that is available for any vendor. If you wanted to scr...
by Feklar
Thu Jun 02, 2016 11:38 pm
Forum: Scripting
Topic: terminal scripts to isolate bridge ports to prevent ARP scanning on hotspot
Replies: 1
Views: 513

Re: terminal scripts to isolate bridge ports to prevent ARP scanning on hotspot

Set the same horizon value for each bridge port. This will prevent communication between them.
by Feklar
Thu Jun 02, 2016 8:33 pm
Forum: General
Topic: Mikrotik to PureVPN
Replies: 5
Views: 2229

Re: Mikrotik to PureVPN

I think they do have guides for IPsec: https://support.purevpn.com/how-to-setup-purevpn-l2tp-manually-on-mac and the RouterOS manual should give you some ideas where to apply this in RouterOS: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec Hi normis, Thanks for your repsonse! These guides were the f...
by Feklar
Thu Jun 02, 2016 4:39 pm
Forum: General
Topic: Wintraff - Overload on your link
Replies: 13
Views: 1552

Re: Wintraff - Overload on your link

There's not much you can do yourself for external traffic because it's being delivered to you by your provider, a network you have no control over. They are just forwarding the packets on like they are supposed to. You can work with them to block, or cut down on specific traffic.
by Feklar
Wed Jun 01, 2016 4:52 pm
Forum: General
Topic: Wintraff - Overload on your link
Replies: 13
Views: 1552

Re: Wintraff - Overload on your link

Thanks for the reply friend, But how can I treat it? Through the layer two with switch? It depends on where it is coming from, and your network design. If it's within your network, then ideally you can do something about it on layer2 close to where the client is connected. If it's a managed switch ...
by Feklar
Wed Jun 01, 2016 1:07 am
Forum: General
Topic: Wintraff - Overload on your link
Replies: 13
Views: 1552

Re: Wintraff - Overload on your link

1.) UDP traffic does not care if the traffic gets where it is supposed to or not, it will happily keep sending traffic at full speed no matter what. It has no throttling mechanism built in like TCP. 2.) You cannot control what traffic a MikroTik receives on an interface from the router itself, you c...
by Feklar
Tue May 31, 2016 6:42 pm
Forum: General
Topic: [SOLVED] Tx & Rx rate via SNMP ?
Replies: 4
Views: 3019

Re: Tx & Rx rate via SNMP ?

TX and RX are bytes-in and bytes-out. What typically happens is the SNMP server polls the device a number of times for these OID's and since it knows the difference in time between these two polls, it uses the difference between the numbers received to calculate the bandwidth for that time slice.
by Feklar
Tue May 31, 2016 4:53 pm
Forum: General
Topic: VPN and performance
Replies: 12
Views: 3493

Re: VPN and performance

This should do it. You can also change the L2TP's MTU value down to 1392 by editing the client interface. /ip firewall mangle add action=change-mss chain=forward new-mss=1392 out-interface=all-ppp protocol=tcp tcp-flags=syn tcp-mss=1393-65535 add action=change-mss chain=forward new-mss=1392 out-inte...
by Feklar
Fri May 27, 2016 10:07 pm
Forum: General
Topic: Block All Internet Access Except for Few HTTPS based Websites
Replies: 2
Views: 907

Re: Block All Internet Access Except for Few HTTPS based Websites

The only way to use the proxy to filter out HTTPS websites is to have each client configure the proxy settings for their computers, then you can have the necessary accept and deny rules. The reason for this is because you cannot intercept HTTPS traffic transparently, the computer will detect this an...
by Feklar
Fri May 27, 2016 5:39 pm
Forum: General
Topic: VPN and performance
Replies: 12
Views: 3493

Re: VPN and performance

Thanks Have had a look about to setup as an IPSec (not L2TP) tunnel client and can't seem to see anything. Are you saying I need to config at the console? VPN supplier has provided the following ipsec settings Destination: UN: PW: SECRET: The VPN is to a public/internet endpoint Thanks That's not e...
by Feklar
Thu May 26, 2016 8:04 pm
Forum: General
Topic: VPN and performance
Replies: 12
Views: 3493

Re: VPN and performance

The easiest way to check for fragmentation is to send out a ping with the do not fragment flag set down the VPN tunnel. In windows something like this: ping 4.2.2.2 -l 1450 -f It will tell you if the ping failed because the packet needed to be fragmented somewhere along the line. The Mikrotik can ac...
by Feklar
Thu May 26, 2016 7:37 pm
Forum: General
Topic: Can someone please explain the PSD attributes?
Replies: 6
Views: 4532

Re: Can someone please explain the PSD attributes?

It's just an arbitrary name really, you assign a value you want to the low ports and to the high ports. The router then takes that value when a new connection attempt comes in and adds it to the overall score for that source IP. If the overall score is greater than the defined threshold, the rule fi...
by Feklar
Wed May 25, 2016 11:40 pm
Forum: General
Topic: VPN and performance
Replies: 12
Views: 3493

Re: VPN and performance

What type of VPN are you using, and where does it terminate? What is the bandwidth at the other end of the tunnel? Have you tried lowering the MTU values of the tunnel to make sure packets are not getting fragmented? The 750 should be able to get you better speed than that, but it also depends on wh...
by Feklar
Wed May 25, 2016 11:11 pm
Forum: General
Topic: Can someone please explain the PSD attributes?
Replies: 6
Views: 4532

Re: Can someone please explain the PSD attributes?

Weight Threshold = Total score needed to be reached to be thought a port scan attempt Delay Threshold = Time window for the scores to be calculated Low Port Weight = Score assigned for a new connection for a port number less than 1024 High Port Weight = Score assigned for a new connection for a port...
by Feklar
Wed May 25, 2016 10:01 pm
Forum: RouterBOARD hardware
Topic: CCR1016-12G always has a core of 100%
Replies: 2
Views: 461

Re: CCR1016-12G always has a core of 100%

BGP can only run on one core currently. They are working on that for 7.x, I think they may still be stuck with one core, but they are improving how long it takes to process a full feed. There is nothing you can really do about that part. I'm not sure about the bonding part either, if that will be lo...
by Feklar
Wed May 25, 2016 9:52 pm
Forum: RouterBOARD hardware
Topic: 100Mbps VPN
Replies: 6
Views: 1286

Re: 100Mbps VPN

Thanks for the reply. Which RB has board with crypto-offload in hardware? I want to use the RB450G that I bought. Kind regards. Currently these 3 kinds of boards have the acceleration hardware: CCR line of boards 850Gx2 1100AHx2 The 3011 has acceleration hardware on the CPU, but it has not been imp...
by Feklar
Thu Mar 17, 2016 4:15 pm
Forum: General
Topic: 2011 with Andriod for USB Teathering
Replies: 2
Views: 357

Re: 2011 with Andriod for USB Teathering

No I haven't, but apparently it was an issue with the phone, I just rebooted it and the LTE interface shows up. Guess that's what I get for stairing at a problem for too long, overlook doing the simple things.
by Feklar
Thu Mar 17, 2016 4:10 pm
Forum: General
Topic: 2011 with Andriod for USB Teathering
Replies: 2
Views: 357

2011 with Andriod for USB Teathering

I'm having a problem getting my Andriod phone working with a 2011 for USB teathering. The same phone works well with the CCR we have in the office, but when I try to use a 2011 for some testing with the teathering feature, it does not work. I have tried turning off the power to the 2011 without the ...
by Feklar
Thu Mar 10, 2016 7:09 pm
Forum: General
Topic: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address
Replies: 10
Views: 1393

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Ok, it looks like you will need to script something then to get it to work and have a dedicated firewall rule. You can get the dst-address of the route and add that to an address list to block communication from and to that IP address. :foreach DST in=([/ip route find gateway~"172.16.30."]) do={ :lo...
by Feklar
Wed Mar 09, 2016 7:24 pm
Forum: General
Topic: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address
Replies: 10
Views: 1393

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

The question remians, where are you getting the routes from? Are you manually putting them in? Are you trying to prevent users on the network from using certain default gateways? Are you wanting your router to not use certain gateways? The only traffic a router can control is traffic that goes over ...
by Feklar
Thu Mar 03, 2016 8:56 pm
Forum: General
Topic: Help blocking mac adress
Replies: 10
Views: 775

Re: Help blocking mac adress

I need help blocking mac adress if the user that connect use the gateway instead of IP. Example. My gateway is 192.168.1.1 and i coonect to wireless with static IP 192.168.1.1 and use gateway 192.168.1.2 after about 5 min it will freeze the network. I need to block mac addres if the user try to con...
by Feklar
Thu Mar 03, 2016 8:38 pm
Forum: General
Topic: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address
Replies: 10
Views: 1393

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

It's not really clear what you are looking to do based on your question or the information given. If you are recieving routes from RADIUS on your router, as far as I know there is no facility to filter what you recieve short of modifying what is sent to you on the RADIUS server itself. There is a fi...
by Feklar
Tue Feb 23, 2016 8:30 pm
Forum: General
Topic: Load Balancing Policy for specific website?
Replies: 1
Views: 342

Re: Load Balancing Policy for specific website?

PCC runs a hash on the infomration that you feed it to randomize things a bit. If you have an accept rule higher up in the chain of your mangle that will match your specific websites IP address(es), that connection will not reach the other PCC rules and will go out the connection you specify.
by Feklar
Tue Feb 23, 2016 8:24 pm
Forum: General
Topic: wAP access problem
Replies: 7
Views: 1428

Re: wAP access problem

When using Netinstall, you can specify a configuration file by checking the configure script option, and selecting the file. Keep in mind if it runs into any syntax error, it will exit at the line it ran into the error and not process the file any further. The other option open to you would be to us...
by Feklar
Fri Feb 12, 2016 8:12 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

Then use the Torch tool to see what is going on traffic wize when you try and connect to the plex server. Set the interface to your LAN, the one facing the plex client. Specify the Src.Adress of 192.168.1.13 and try and connect to the plex service. You will be able to watch the various connections c...
by Feklar
Fri Feb 12, 2016 6:58 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

So it is 192.168.1.13 (client) connecting TO an outside server. That does make a difference to the rule setup. For some reason I was thinking you had a plex server locally and were trying to use that. /ip firewall mangle add action=accept chain=prerouting comment="Plex traffic bypasses external VPN"...
by Feklar
Thu Feb 11, 2016 11:52 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

Ok, where are the connections to the plex server coming from, are they using the NAT rules from the outside? A local machine, or something else? The interface that you want to look at for torch is the interface of the router facing the plex server.
by Feklar
Thu Feb 11, 2016 11:14 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

Is the first rule incrementing at all and catching traffic? As far as torch goes, it is one of the greatest tools on RouterOS. When you open it through WinBox, I usually disable Src and Dst. Address6, set the interface to the one I want to watch, and enable port and protocol. Then let it run and wat...
by Feklar
Thu Feb 11, 2016 10:50 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

Is that the only port it uses to communicate? You could use the torch tool to view the communiactions and narrow down the rules and see what is going on. The second option is to use connection marks to catch both sides of the connection (assuming the first rule is incramenting). Something like this ...
by Feklar
Thu Feb 11, 2016 8:45 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

Is the rule incrementing? Is the traffic TCP or UDP? Is that the src or dst port? Do you have the rule set to match those things specifically?
by Feklar
Thu Feb 11, 2016 6:44 pm
Forum: General
Topic: Mikrotik with Just Cloud
Replies: 1
Views: 308

Re: Mikrotik with Just Cloud

You will need to give more information on your setup, preferably an export of your firewall filter, to be able to get more help. As long as you allow outbound connections from the LAN clients, they should be able to reach that site just fine. How are you blocking social media sites? That could also ...
by Feklar
Wed Feb 10, 2016 8:26 pm
Forum: General
Topic: 6.33.5 password resetting on its own
Replies: 2
Views: 558

Re: 6.33.5 password resetting on its own

I had a similar problem when running an x86 routerboard a couple of years ago. The HD the OS was installed to started to fail. It would loose its password and we could not write any files to the disc. A reboot would fix it for a bit, but the problem would always come back. The drive failed not too l...
by Feklar
Wed Feb 10, 2016 7:50 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

In your given situation, that is probably how I would have gone about it.
by Feklar
Tue Feb 09, 2016 9:49 pm
Forum: Beginner Basics
Topic: Incomming and outgoing VPN combined
Replies: 19
Views: 2050

Re: Incomming and outgoing VPN combined

Some more infomration is needed to be able to help much more, but here are some things that might point you in the direction that you want to go. Depending on the type of VPN you have setup (L2TP/IPSec, pure IPSec, ect) will determine what you are trying to do. Since RouterOS does not support VTI fo...
by Feklar
Tue Feb 09, 2016 9:32 pm
Forum: Beginner Basics
Topic: Firewall - Block All, except HTTP... how to unblock FTP
Replies: 12
Views: 2180

Re: Firewall - Block All, except HTTP... how to unblock FTP

You shouldn't need the helper, you are just looking for an already established connection to port 21 for the first rule to match, meaning it's completed the 3 way handshake. The helper is looking inside of that connection to see if there are any related connections to the first. It just needs to be ...
by Feklar
Tue Feb 09, 2016 8:47 pm
Forum: Beginner Basics
Topic: Firewall - Block All, except HTTP... how to unblock FTP
Replies: 12
Views: 2180

Re: Firewall - Block All, except HTTP... how to unblock FTP

Sob Thank you for so "opened" answer. I was waiting for some magic ) for FTP, but, as you said, that magic is available only for unencrypted way. Also, I think about a way, when 1 - client goes to 21 port 2 - MIK adds his IP to "list" in firewall for some time 3 - MIK accepts forwarding of "list" o...
by Feklar
Thu Jan 21, 2016 11:16 pm
Forum: General
Topic: problem with netinstall in ubuntu 14.04 with wine 1.8
Replies: 2
Views: 978

Re: problem with netinstall in ubuntu 14.04 with wine 1.8

Are you running Wine with root privilages, if not, that is likely the cause of the error.
by Feklar
Tue Jan 19, 2016 7:17 pm
Forum: General
Topic: Mikrotik and monitoring (Nagios, Cacti and so on)
Replies: 3
Views: 6332

Re: Mikrotik and monitoring (Nagios, Cacti and so on)

Hello, did you find a solution for monitoring bandwidth (current, history using graph)? Thank you! Best wishes, Marko There are a TON of solutions out there, so it is really up to you and how much time, energy, and money you want to invest in a monitoring solution. They are all "good choices", but ...
by Feklar
Thu Dec 31, 2015 5:21 pm
Forum: Beginner Basics
Topic: IPSEC Site-to-site
Replies: 6
Views: 983

Re: IPSEC Site-to-site

What about your IPSec policies or firewall rules? Both of those could be the source of the issue. I have a couple of pure IPSec site to site tunnels and they work fine.
by Feklar
Thu Dec 31, 2015 5:03 pm
Forum: General
Topic: Help!!! can't ping from router to client
Replies: 4
Views: 1254

Re: Help!!! can't ping from router to client

Chances are it's a firewall setting from the information you have posted about your configuration. Did you remove the default firewall setup, or leave it in place? By default the router will only accept forward connections from a port that is not Ether1 if I remember correctly for the 951.
by Feklar
Thu Dec 31, 2015 4:58 pm
Forum: General
Topic: IPSEC source port 4500
Replies: 2
Views: 1278

Re: IPSEC source port 4500

UDP Port 500 is used to exchange keys in a secure manner, UDP 4500 is a NAT-T tunnel. Think of it like the data session where port 500 is the control session. You shouldn't use port 4500 for both, you may be able to configure the MikroTik to accept the different port, but I don't know about SrongSwan.
by Feklar
Wed Dec 30, 2015 10:12 pm
Forum: Beginner Basics
Topic: Hotspot splashpage / captive portal without auth
Replies: 29
Views: 30555

Re: Hotspot splashpage / captive portal without auth

Do you have the external URL added to the walled garden of the hotspot?
by Feklar
Wed Dec 30, 2015 9:35 pm
Forum: General
Topic: SNMP Number of DHCP lease used in pool
Replies: 1
Views: 1433

Re: SNMP Number of DHCP lease used in pool

You can do an OID count, that's how I monitor the number of connected devices to the wireless interface of a MikroTik: /usr/bin/snmpwalk <ip>:<port> -v 1 -c <comm> <oid> | /usr/bin/wc -l I'm not familiar with Nagios specifically, but that's the script I have in place for my Cacti server for couting ...
by Feklar
Wed Dec 23, 2015 5:45 pm
Forum: General
Topic: NetCut issue..
Replies: 2
Views: 693

Re: NetCut issue..

Hello Everybody, One of my hotspot users seems to be using NetCut; to take the whole internet bandwidth to him or herself. How can I detect him/her??? and how can I stop it from the router configuration? I need urgent help here. Thanks This is not something the MikroTik router can do, this is somet...
by Feklar
Mon Dec 21, 2015 8:37 pm
Forum: Beginner Basics
Topic: IPsec tunnel Mikrotik behind modem to PfSense
Replies: 1
Views: 674

Re: IPsec tunnel Mikrotik behind modem to PfSense

1.) The mikrotik will need to be the one to send the initial contact since it is behind NAT unless you are able to setup port forwarding on the modem. 2.) The Peer on the MikroTik needs to also be set to use NAT Traversal. With both of these things set, you should now see it starting to try and esta...
by Feklar
Mon Dec 21, 2015 8:30 pm
Forum: Beginner Basics
Topic: HotSpot + Squid
Replies: 3
Views: 1070

Re: HotSpot + Squid

You cannot intercept HTTPS transparently without it throwing up a certificate issue. In order for you to proxy HTTPS, the browser on the client machine must be aware of the proxy and be pointed to it, not really something you can control in a hotspot environment. There are ways to decrypt/encrypt HT...
by Feklar
Mon Dec 21, 2015 8:15 pm
Forum: General
Topic: snmp dies
Replies: 2
Views: 419

Re: snmp dies

Are you sure the SNMP traffic is still getting to the router? Check using Torch to see if there is any incoming traffic for port 161. If there is RX for SNMP, is there all TX when using Torch? Do you have your SNMP restricted to only a few IP addresses, and your server's IP has changed? Or did your ...
by Feklar
Fri Dec 18, 2015 5:50 pm
Forum: Beginner Basics
Topic: QUEUES TO GUARANTEE BANDWIDTH
Replies: 5
Views: 4865

Re: QUEUES TO GUARANTEE BANDWIDTH

What you are basically doing with creating the parent queue is setting a hard limit of how much bandwidth is available to all sub queues under it. This is so that the router knows who to divide the bandwidth up between all the children queues. With the leaf/sub queues, you once again assign a max-li...
by Feklar
Fri Dec 18, 2015 1:35 am
Forum: Beginner Basics
Topic: QUEUES TO GUARANTEE BANDWIDTH
Replies: 5
Views: 4865

Re: QUEUES TO GUARANTEE BANDWIDTH

Assuming that you have the appropriate packet marks in the mangle rules to identify download traffic: /queue tree add max-limit=6500k name="Download Gobal" parent=<LAN interface> queue=default add max-limit=6500k name=Cus1_Download parent="Download Gobal" queue=default packet-mark=Cus1_Download prio...
by Feklar
Fri Dec 11, 2015 6:25 pm
Forum: General
Topic: 951G different Pools per Interface same Subnet
Replies: 4
Views: 640

Re: 951G different Pools per Interface same Subnet

The answer is still no. I was trying to give you a way to get the information that you wanted. The other method of getting that information is to go to bridge - > hosts.
by Feklar
Fri Dec 11, 2015 4:47 pm
Forum: General
Topic: 951G different Pools per Interface same Subnet
Replies: 4
Views: 640

Re: 951G different Pools per Interface same Subnet

No there is not. I'm assuming that you are using the hotspot. Under Hotspot settings, enable "use IP firewall", and then you can show the bridge port under the hosts tab to see what port they are coming off of.
by Feklar
Thu Dec 03, 2015 7:11 pm
Forum: General
Topic: Would it be possible
Replies: 3
Views: 314

Re: Would it be possible

As Jarda said, it is possible, but the main question becomes, how do you determine a server fault? That is stops responding to pings, or that it no longer is serving any web requests, or that it still servers web requests, but not any content. A simple ping is easy to test for and use netwatch on, t...
by Feklar
Tue Dec 01, 2015 10:26 pm
Forum: Beginner Basics
Topic: How to ignore all traffic (including https), and redirect to a specific web page instead?
Replies: 1
Views: 368

Re: How to ignore all traffic (including https), and redirect to a specific web page instead?

/ip firewall nat add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=<WEB SERVER> /ip firewall nat add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=<WEB SERVER> Your webserver needs to be able set to accept all website requests as if it owned that domain, fai...
by Feklar
Tue Dec 01, 2015 10:01 pm
Forum: General
Topic: Network traffic pattern alerts when redundant link goes down.
Replies: 3
Views: 523

Re: Network traffic pattern alerts when redundant link goes down.

Hello, I have searched the forums for ideas to identify when a redundant link goes down and have not been able to find any. If a tower has two high capacity redundant links available, and one goes down I need a way to become notified. Sure, if a BH literally dies nagios will alert us, but what if t...
by Feklar
Tue Dec 01, 2015 6:48 pm
Forum: General
Topic: Problem between 2 CCR Routers
Replies: 2
Views: 277

Re: Problem between 2 CCR Routers

Don't use BTest to get an idea of what the router is able to do, it is restricted to 1 core, and is not really built for that. The best thing to do is have a computer behind each router and run iperf or some other bandwidth test software between the two computers.
by Feklar
Wed Nov 18, 2015 9:02 pm
Forum: Beginner Basics
Topic: NAS / Printer in Hotspot
Replies: 5
Views: 1010

Re: NAS / Printer in Hotspot

It really depends on your configuration. What you would typically do is plug the NAS into a free port on the MikroTik, setup it's own IP subnet and whatever other services you want to run on top of it. You then build an appropriate firewall to allow and dissallow what you do or do not want.
by Feklar
Wed Nov 18, 2015 5:36 pm
Forum: Beginner Basics
Topic: NAS / Printer in Hotspot
Replies: 5
Views: 1010

Re: NAS / Printer in Hotspot

Your best solution would be to get the NAS on a seperate routed interface with it's own subnet. The problem you are likely running into is the universal NAT feature of the hotspot. It basically arp-poison's the entire layer2 network so it can act as the default gateway for every device. This is done...
by Feklar
Wed Nov 18, 2015 5:21 pm
Forum: General
Topic: allow one website - firewall rules problem
Replies: 10
Views: 2745

Re: allow one website - firewall rules problem

You can redirect HTTP (port 80) to another IP address. Then the web server there needs to know to respond to every web page request with a default page that you want it to display. Relativly simple to do. Based off of your questions, it sounds like you are trying to setup a black list or white list ...
by Feklar
Wed Nov 18, 2015 12:33 am
Forum: General
Topic: allow one website - firewall rules problem
Replies: 10
Views: 2745

Re: allow one website - firewall rules problem

/ip firewall filter add chain=forward action=accept protocol=udp dst-port=53 place-before=0
by Feklar
Wed Nov 18, 2015 12:15 am
Forum: General
Topic: allow one website - firewall rules problem
Replies: 10
Views: 2745

Re: allow one website - firewall rules problem

Are you allowing DNS requests through? If not a browser will not even attempt to access the website since it doesn't know what IP address a domain name points to.
by Feklar
Wed Nov 18, 2015 12:11 am
Forum: General
Topic: allow one website - firewall rules problem
Replies: 10
Views: 2745

Re: allow one website - firewall rules problem

Once again, you are using the conent feature, that works pretty much the same to layer7, it looks for text within a connection, and if it exists then it will accept it. Blocking by IP address is going to be the most reliable way for you to go depending on what websites you want to allow/disallow. Fa...
by Feklar
Tue Nov 17, 2015 11:51 pm
Forum: General
Topic: allow one website - firewall rules problem
Replies: 10
Views: 2745

Re: allow one website - firewall rules problem

Access to a website requires at least DNS and HTTP or HTTPS to work. If a computer cannot resolve a host name, they will not try to access the website. Secondly, facebook requires HTTPS by default now, that means all traffic between the computer and the web server is encrypted. The layer7 protocol w...
by Feklar
Mon Oct 12, 2015 10:41 pm
Forum: General
Topic: SNMP doesn't return through standard NAT (BUG?)
Replies: 8
Views: 1331

Re: SNMP doesn't return through standard NAT (BUG?)

You aren't really providing enough information for people to be able to really help here. A router routes, and so it doesn't care if the traffic is SNMP, HTTP, or anything else, a packet is a packet. So it coule be a firewall rule you have, a NAT rule that you have, a routing rule that you have, or ...
by Feklar
Mon Oct 12, 2015 10:37 pm
Forum: General
Topic: load balance with only one interface
Replies: 11
Views: 1073

Re: load balance with only one interface

I'm assuming you have two different providers with their own subnet that they are forwarding to you plugged into a switch, and then plugged into the MirkroTik. You can have both of these subnets assigned to the WAN interface of the MikroTik with the appropriate default routes. If both are doing DHCP...
by Feklar
Mon Oct 12, 2015 10:24 pm
Forum: General
Topic: load balance with only one interface
Replies: 11
Views: 1073

Re: load balance with only one interface

Multiple subnets can exist on one interface, so yes you can load balance with multiple subnets coming into one interface. You just need to narrow down the necessary rules to be based on IP addresses instead of the more generic interface. As for VLANs, you have to think about them approproiately, eac...
by Feklar
Mon Oct 12, 2015 8:45 pm
Forum: RouterBOARD hardware
Topic: United States 3G/4G USB Modem suppoort
Replies: 2
Views: 972

United States 3G/4G USB Modem suppoort

We are currently looking at providing a solution for 3G/4G backup here in the United States, and I have been trying to figure out a way to make that work. I have been going through the supported hardware list and the major carriers here in the US to see if one of their supported modems line up or no...
by Feklar
Mon Oct 12, 2015 4:51 pm
Forum: Beginner Basics
Topic: VPN Mikrotik - Juniper
Replies: 5
Views: 1855

Re: VPN Mikrotik - Juniper

The OP can't make any changes on the Juniper, which is why I had thought you had suggested an L2 tunnel between a pair of Mikrotiks at Site I and Site II. With an L2 tunnel [eg EoIP] the Juniper won't know that Site II hosts aren't actually at Site I. Obviously, Site II will need to be need to be r...
by Feklar
Mon Oct 05, 2015 9:46 pm
Forum: General
Topic: please
Replies: 5
Views: 492

Re: please

If they are two different providers, you cannot unless you can peer BGP with both of them with your own AS number and /24.
by Feklar
Mon Oct 05, 2015 9:34 pm
Forum: General
Topic: Block Apple Multicast
Replies: 2
Views: 1714

Re: Block Apple Multicast

How do you have the access point setup? I'm assuming that you have the wireless card bridged with a physical interface. If so do you have the bridge set to use the firewall?
by Feklar
Mon Oct 05, 2015 8:16 pm
Forum: General
Topic: Securing Mikrotik without using Firewall for fastpath
Replies: 5
Views: 742

Re: Securing Mikrotik without using Firewall for fastpath

1.) Fast path works on forwarding packets, the services work on the input chain, so securing them via firewall should not affect fast path performance.
2.) You can dissable unwanted services running on the router, and you can also change the port they listen to to obscure thingts a bit more.
by Feklar
Wed Sep 30, 2015 6:16 pm
Forum: Beginner Basics
Topic: Mikrotik hotspot and Unifi as Access Point
Replies: 4
Views: 2034

Re: Mikrotik hotspot and Unifi as Access Point

Did you setup the SSID for the access point as a guest one? If so, those settings are still in place even though it's not directly associated with a controller. By default the MikroTik does not repond to pings on the Hotspot interface for guests that are unauthorized.
by Feklar
Tue Sep 29, 2015 10:00 pm
Forum: Beginner Basics
Topic: Mikrotik hotspot and Unifi as Access Point
Replies: 4
Views: 2034

Re: Mikrotik hotspot and Unifi as Access Point

The UniFi controller has a built in firewall on each access point that blocks communication to all RFC 1918 addresses. You need to add the MikroTik's Hotspot address to the allowed IP subnets so that you commputer can communicate properly. Something like 192.168.88.1/32 for a signle address.
by Feklar
Wed Sep 23, 2015 6:45 pm
Forum: General
Topic: to let any one login to pppoe server
Replies: 1
Views: 255

Re: to let any one login to pppoe server

You can probably get it working by using an external Radius server like FreeRadius and have it hard coded to accept any password entry as valid. It's a little tricky, but it is possible to get FreeRadius to do so. Being able to do it with just what is built into the MikroTik is very doubtful.
by Feklar
Mon Sep 21, 2015 9:22 pm
Forum: General
Topic: pfsense firewall and mikrotik
Replies: 4
Views: 4067

Re: pfsense firewall and mikrotik

actually we want to use vlan for our pop. every pop should be in different vlan and each pop is connected over fiber using l3 switches (sfp compatible). as per the image we want that each l3 i.e. the first switch at pop should be connected with mikrotik then the distribution should be done as per t...
by Feklar
Tue Sep 15, 2015 10:12 pm
Forum: General
Topic: pfsense firewall and mikrotik
Replies: 4
Views: 4067

Re: pfsense firewall and mikrotik

hi i am using mikrotik for isp but mikrotik cant support vlan concept. so i have question can i use mikrotik hotspot in pfsense. i want to use mikrotik as web server only for captive pages. thankx in advanse You will need to explain more of what you are looking to do, it's not clear at all based on...
by Feklar
Tue Sep 15, 2015 7:52 pm
Forum: General
Topic: Weird IP scan
Replies: 2
Views: 375

Re: Weird IP scan

Sounds like some form of proxy-arp going on.
by Feklar
Tue Sep 15, 2015 7:45 pm
Forum: General
Topic: Can CCR1009 Handle this ?
Replies: 26
Views: 2356

Re: Can CCR1009 Handle this ?

Unfortunately I'm not an ISP, so I have very little experiance in your specific use case. Someone with more experiance will probably chime in and correct me if I am wrong. I would probalby go in with a CCR 1036 or an x86 solution to be on the safe side of things. Being able to handle the bandwidth i...
by Feklar
Tue Sep 15, 2015 6:59 pm
Forum: General
Topic: Howto Force route for specific host via primary wan link
Replies: 10
Views: 2362

Re: Howto Force route for specific host via primary wan link

/ip route rule add action=lookup-only-in-table dst-address=8.8.8.8/32 table=pppoe-out1 This will affect client traffic as well, unless you narrow it down with a src-address as well, but it is a way to force that destination to only ever use ppoe-out1. Otherwise what happens is if there is no active...
by Feklar
Tue Sep 15, 2015 6:49 pm
Forum: General
Topic: Can CCR1009 Handle this ?
Replies: 26
Views: 2356

Re: Can CCR1009 Handle this ?

It depends on how you are delivering service and rate limits to the end users. If the CCR is just routing, yes it is able to handle that.
http://routerboard.com/CCR1009-8G-1S

However if it needs to do queues, PPPoE/Hotspot, QoS, etc. that may become an issue.
by Feklar
Wed Sep 09, 2015 8:19 pm
Forum: RouterBOARD hardware
Topic: Which RouterBoard
Replies: 3
Views: 684

Re: Which RouterBoard

Pretty much any board will do what you are asking, what kind of bandwidth are you looking at? A 951 would be a decent plact to start depending on the number of needed wired ports and assuming that you want built in wireless. You could move up to a 2011 with the wireless card built in if you need mor...
by Feklar
Wed Sep 02, 2015 6:36 pm
Forum: General
Topic: RB450G license issues
Replies: 1
Views: 281

Re: RB450G license issues

You'll need to email support@mikrotik.com for help with any licensing issues. This is a user form, and while there are staff members that are here on the forum, this is not their official support channel.
by Feklar
Tue Sep 01, 2015 11:01 pm
Forum: General
Topic: Security Hotspot Routing Question.
Replies: 2
Views: 507

Re: Security Hotspot Routing Question.

/ip firewall mangle add action=change-ttl chain=forward new-ttl=set:1 out-interface=<LAN INTERFACE> passthrough=no Use this rule, or something like it, to change the TTL of packets down to one. What will happen is when a router connected to the LAN of the network receives the packet and forwards it...
by Feklar
Tue Sep 01, 2015 10:50 pm
Forum: General
Topic: How to block Microsoft via static DNS entry
Replies: 16
Views: 3076

Re: How to block Microsoft via static DNS entry

/ip dns static
add address=127.0.0.1 name=".*\\.microsoft\\..*"
add address=127.0.0.1 name="^microsoft\\..*"
You will need to force all DNS requests to go through your router for the local clients, or at least make sure their DNS settings are pointed only at you.
by Feklar
Tue Aug 11, 2015 11:34 pm
Forum: General
Topic: Log Daily Detailed Usage for Users ?
Replies: 3
Views: 418

Re: Log Daily Detailed Usage for Users ?

Part of the interim update contains the bytes sent and received for a given user.
by Feklar
Mon Aug 10, 2015 10:25 pm
Forum: General
Topic: Log Daily Detailed Usage for Users ?
Replies: 3
Views: 418

Re: Log Daily Detailed Usage for Users ?

Use the Acct-Interim-Interval RADIUS attribute to force a status update every so often to the RADIUS server.
http://wiki.mikrotik.com/wiki/Manual:RA ... ess-Accept
by Feklar
Mon Aug 10, 2015 6:45 pm
Forum: General
Topic: Minimum bandwidth guarantee
Replies: 3
Views: 1312

Re: Minimum bandwidth guarantee

It depends on how you have the pcq setup. You can have it where it sets a hard limit on everyone, or set it so that if only one person is using it, they get everything, and are only cut back when others need bandwidth. http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ#PCQ_Rate_Examples It also depen...
by Feklar
Wed Aug 05, 2015 9:12 pm
Forum: General
Topic: Minimum bandwidth guarantee
Replies: 3
Views: 1312

Re: Minimum bandwidth guarantee

You can try PCQ as the queue type to more evenly spread things around.
http://wiki.mikrotik.com/wiki/Manual:Qu ... Q_Examples
by Feklar
Wed Aug 05, 2015 9:06 pm
Forum: Beginner Basics
Topic: Arp/mac Spoofing
Replies: 1
Views: 815

Re: Arp/mac Spoofing

Setup your layer2 network in such a way that people cannot see other devices on the network other than the gateway. Something at the core of the network can never block/prevent stuff from happening at the edge of a network. That must be taken care of and controlled at the edge.
by Feklar
Wed Jul 29, 2015 6:52 pm
Forum: General
Topic: Natting Issue urgent help needed ?
Replies: 9
Views: 850

Re: Natting Issue urgent help needed ?

Switch from masquerade to src-nat and specify what IP address you want the 192.168.1.0/24 subnet to use. You can also use the Torch tool on Ether1 to see what traffic is being sent out and spot an issue with how the packets are being processed.
by Feklar
Thu Jul 23, 2015 10:30 pm
Forum: General
Topic: Can anyone point me to how to setup a direct IPSEC tunnel?
Replies: 5
Views: 977

Re: Can anyone point me to how to setup a direct IPSEC tunnel?

Pure IPSec in Mikrotik does not let you route over the tunnels. What happens is that the IPSec policy see's the source and dst address that you have selected, and then pushes it through the IPSec process to be sent to the other site. If you wanted to run routing, you need to run another interface an...
by Feklar
Wed Jul 22, 2015 6:36 pm
Forum: General
Topic: knowning which websites hotpsot user go to
Replies: 11
Views: 1440

Re: knowning which websites hotpsot user go to

NTop does work on Windows, but the Solar Winds should work as well, I just don't think it is free past the trail period. You are showing SNMP settings on the router, SNMP and Traffic flow are two separate things. After enabling traffic flow, you need to set a target. The Target is the IP and Port th...
by Feklar
Tue Jul 21, 2015 9:32 pm
Forum: General
Topic: knowning which websites hotpsot user go to
Replies: 11
Views: 1440

Re: knowning which websites hotpsot user go to

NTop is the easiest to install but is a bit of a pain to get it to collect netflows. NFSen is designed to be a netflows collector, and would probably be the better choice of the two.
by Feklar
Mon Jul 20, 2015 8:14 pm
Forum: General
Topic: knowning which websites hotpsot user go to
Replies: 11
Views: 1440

Re: knowning which websites hotpsot user go to

Netflows uses a collector server to gather all of the information into one place and process it. So you would need to setup a server somewhere that the the exporter (your router) would send the information to. You can then log into the collector and see the connections that have gone over the router...
by Feklar
Fri Jul 17, 2015 5:37 pm
Forum: General
Topic: Any custom user permission feature available ?
Replies: 3
Views: 481

Re: Any custom user permission feature available ?

Create a group in system users, and assign a different skin to it, then assign a user to that group.
by Feklar
Thu Jul 16, 2015 10:01 pm
Forum: General
Topic: MikroTik Firewall
Replies: 17
Views: 2440

Re: MikroTik Firewall

There is by default an accept all in a Mikrotik, so you could just use one rule if that's what you really want /ip firewall filter action=drop chain=input in-interface=<WAN interface> The idea though is to protect the router a bit more, as well as anyone using it to access the internet. Hence the in...
by Feklar
Thu Jul 16, 2015 9:35 pm
Forum: General
Topic: MikroTik Firewall
Replies: 17
Views: 2440

Re: MikroTik Firewall

Build a standard stateful firewall will be the best thing you can do. /ip firewall filter add chain=input comment="Accept Established" connection-state=established add chain=input comment="Accept related" connection-state=related add action=drop chain=input comment="Drop invalid" connection-state=in...
by Feklar
Thu Jul 16, 2015 9:01 pm
Forum: General
Topic: Any custom user permission feature available ?
Replies: 3
Views: 481

Re: Any custom user permission feature available ?

You can use webfig and create a skin for a specific user. That way they only see what you want, but it's not meant for security.
by Feklar
Thu Jul 16, 2015 8:08 pm
Forum: General
Topic: Packet Reordering
Replies: 6
Views: 1474

Re: Packet Reordering

Use a torch or a packet capture to make sure you are identifying the steam download correctly would be the next step. See what connection, and the IP addresses that are pushing the most data. If you are, is the max upload bandwidth set to 90% of the capacity in the queues? Once traffic on most links...
by Feklar
Thu Jul 16, 2015 6:59 pm
Forum: General
Topic: Edit Hotspot users uptime counter
Replies: 3
Views: 515

Re: Edit Hotspot users uptime counter

I don't believe so, if you need the data stored on the router, you can add a comment to each user and mention the approximate uptime at the time of resting them.
by Feklar
Wed Jul 15, 2015 8:38 pm
Forum: General
Topic: cacti: Mikrotik RouterOS Statistics (Update 11/19/2013)
Replies: 85
Views: 58007

Re: cacti: Mikrotik RouterOS Statistics (Update 11/19/2013)

josu see all my posts above. As I had wrote there is no way to configure interfaces bandwidth collecting via SNMP on MikroTik RB951 at least. If you will find the way you will be a pioneer (let me know how). Can you do a SNMP walk of the MikroTik in the first place? I don't own a 951, but I believe...
by Feklar
Wed Jul 15, 2015 7:48 pm
Forum: General
Topic: Dynamic hotspot rules in wrong order?
Replies: 1
Views: 352

Re: Dynamic hotspot rules in wrong order?

Someone manually moving the rules above the dynamic ones at some point. Depending on the rules it may or many not effect functionality since rules are processed in order within it's chain.
by Feklar
Wed Jul 15, 2015 7:31 pm
Forum: General
Topic: Packet Reordering
Replies: 6
Views: 1474

Re: Packet Reordering

With your current setup, do you see the traffic going through the queues at all? Do the statistics go up? Do you see the bandwidth counters when you watch the tree? If not that means the traffic is not being processed by the queue. When I first started to play around with QoS I found trying to do mu...
by Feklar
Wed Jul 15, 2015 7:19 pm
Forum: General
Topic: cacti: Mikrotik RouterOS Statistics (Update 11/19/2013)
Replies: 85
Views: 58007

Re: cacti: Mikrotik RouterOS Statistics (Update 11/19/2013)

The basic templates work fine if you are looking for interface statistics, that is standard SNMP information. If you are looking for other SNMP information (like number of hotspot users, or number of wireless clients), you can make your own templates, or use some of the other templates that are avai...
by Feklar
Tue Jul 14, 2015 8:19 pm
Forum: General
Topic: Tracking users on Wifi AP in MikroTik
Replies: 2
Views: 593

Re: Tracking users on Wifi AP in MikroTik

What kind of information are you looking for, or what is your intended use? One of the most basic way to do this would be to use SNMP to get the number of registered wireless clients out of each access points and generate a chart based off of that information. If you are looking for this information...
by Feklar
Tue Jul 14, 2015 8:15 pm
Forum: General
Topic: knowning which websites hotpsot user go to
Replies: 11
Views: 1440

Re: knowning which websites hotpsot user go to

If you want to keep a log of what URLs are being requested by guest, setup a squid proxy and force them to use it with a NAT rule, or parent proxy inside of the MikroTik. It will only work for HTTP though, as you cannot transparently redirect HTTPS. If you needed HTTPS requests as well you need to h...
by Feklar
Tue Jul 07, 2015 8:20 pm
Forum: RouterBOARD hardware
Topic: Mikrotik OS router License recovery
Replies: 4
Views: 810

Re: Mikrotik OS router License recovery

contact support@mikrotik.com, only they can help you with licensing issues. Even if you had the license key backup up, it is tied to a specific hard drive, you would need to contact them to get it moved to another drive.
by Feklar
Tue Jul 07, 2015 7:50 pm
Forum: General
Topic: Web Proxy CPU High Load
Replies: 8
Views: 3869

Re: Web Proxy CPU High Load

Chances are if you do not have any restrictions on the proxy either via the firewall or the proxy rules, you have an external bot(s) using your proxy causing the CPU load to be that high. You need to lock down the proxy so that only people from your hotspot can access it and use it, the easiest way ...
by Feklar
Thu Jul 02, 2015 7:31 pm
Forum: General
Topic: Hotspot - keepalive-timeout
Replies: 8
Views: 12927

Re: Hotspot - keepalive-timeout

I like to edit them to be the same, but you can turn it off by editing the user profile.
by Feklar
Wed Jul 01, 2015 9:19 pm
Forum: General
Topic: Hotspot - keepalive-timeout
Replies: 8
Views: 12927

Re: Hotspot - keepalive-timeout

Edit the user profile and set the Keep Alive timeout to be the same as the idle timeout.
/ip hotspot user-profile
by Feklar
Tue Jun 30, 2015 8:05 pm
Forum: General
Topic: Some crazy issue with Microtik, customer complaining about Logout when doing bigger downloads
Replies: 5
Views: 688

Re: Some crazy issue with Microtik, customer complaining about Logout when doing bigger downloads

See what attribute they are returning to you via Radius. I'm guessing it would be one of these: Mikrotik-Recv-Limit Mikrotik-Recv-Limit-Gigawords Mikrotik-Xmit-Limit Mikrotik-Xmit-Limit-Gigawords The other option would be to turn off Interim Update in the Hotspot Server Profile, but then you would l...
by Feklar
Tue Jun 30, 2015 7:59 pm
Forum: General
Topic: How does the client choose which DHCP server to get an address from?
Replies: 4
Views: 743

Re: How does the client choose which DHCP server to get an address from?

It depends on the hardware you have really. The TP-Link likely does not support VLANs and multiple SSIDs, and the switches (if any) between the MikroTik and the TP-Link would also need to support them.
by Feklar
Tue Jun 30, 2015 7:23 pm
Forum: General
Topic: Some crazy issue with Microtik, customer complaining about Logout when doing bigger downloads
Replies: 5
Views: 688

Re: Some crazy issue with Microtik, customer complaining about Logout when doing bigger downloads

I believe that you can log the radius packets being received by the logging facility in the Mikrotik, it will generate a ton of info, but should give you a picture of what is being returned and sent and what to look at. You could also log into the Radius server and see the attributes you are suppose...
by Feklar
Tue Jun 30, 2015 6:36 pm
Forum: General
Topic: Hotspot stop working
Replies: 4
Views: 929

Re: Hotspot stop working

My best guess would point to the proxy working along side of the hotspot. How do you have the rules structured to send them to the squid server? It is upon sign in and a dst-nat rule, or is it using the parent proxy option in the MikroTik?
by Feklar
Tue Jun 30, 2015 6:30 pm
Forum: General
Topic: How does the client choose which DHCP server to get an address from?
Replies: 4
Views: 743

Re: How does the client choose which DHCP server to get an address from?

The clients typically will "choose" the DHCP server that responds the fastest, so there is no real way of controlling that client side, you really only want one DHCP server running on any layer2 segment of a network. If you want the TPLink to act more like an access point, turn off the DHCP server o...
by Feklar
Tue Jun 30, 2015 6:14 pm
Forum: General
Topic: Some crazy issue with Microtik, customer complaining about Logout when doing bigger downloads
Replies: 5
Views: 688

Re: Some crazy issue with Microtik, customer complaining about Logout when doing bigger downloads

I'm assuming that you are using RADIUS correct? What are the Radius attributes that you are giving to him upon signin? How is he signed into the network, by the MAC address of his device, or PPPoE?

It does sound like it an attribute issue with the Radius server.
by Feklar
Fri Jun 26, 2015 7:24 pm
Forum: General
Topic: Best practice of adding src addresses to list
Replies: 1
Views: 573

Re: Best practice of adding src addresses to list

You can add connection-state=new to the filter rule itself, that will narrow it down to only new connections. I'm not sure what the performance impact would be to just leave it as is, but what would happen is it would just refresh the timer every time a new packet was processed through that rule. Th...
by Feklar
Fri Jun 26, 2015 7:08 pm
Forum: General
Topic: Nonactive Hosts In the hotspot trying to connect to dropbob
Replies: 1
Views: 479

Re: Nonactive Hosts In the hotspot trying to connect to dropbob

You can try using this rule to limit the amount of active connections a user can have to your hotspot at a given time so it doesn't have to process as much: /ip firewall filter add action=drop chain=pre-hs-input connection-limit=10,32 dst-port=64872-64875 protocol=tcp You could also outright block t...
by Feklar
Fri Jun 26, 2015 6:58 pm
Forum: General
Topic: Website visitors
Replies: 3
Views: 733

Re: Website visitors

Push them through a proxy and keep track of the logs if you want the actual URL that they are requesting. The other option is using a tool like NetFlows/Traffic Flow, but that will not give you the domain names, just the IP addresses that were connected to.
by Feklar
Mon Jun 22, 2015 9:42 pm
Forum: General
Topic: What is ARP-published feature for?
Replies: 24
Views: 9687

Re: What is ARP-published feature for?

For the MAC address, you edit by the command line, I don't know why it's not accessible by Winbox, but as far as I know it's never really been available. ARP stands for address resolution protocol, it is used as part of IPv4 to tie MAC addresses to IP Addresses so that devices can communicate over l...
by Feklar
Thu Jun 18, 2015 10:19 pm
Forum: Beginner Basics
Topic: Clients not displaying "dropped connection icon"
Replies: 3
Views: 778

Re: Clients not displaying "dropped connection icon"

It depends on how the operating system is detecting that something is online or not, and has nothing to do with the router. Typically it sees if it is physically connected, if the default gateway is reachable, and if it can reach a resource on the internet.
by Feklar
Fri Jun 12, 2015 9:27 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1683

Re: IPSec

Are you sure they are looking for 256 bits for SHA and AES for phase 1? SHA1 and AES128 is the more likely option they are wanting/needing.
by Feklar
Tue May 19, 2015 9:04 pm
Forum: General
Topic: Hotspot and arp poisoning attack
Replies: 2
Views: 883

Re: Hotspot and arp poisoning attack

The hotspot uses proxy-arp to act as the default gateway for misconfigured clients. It is normal and expected behavior by default. To turn it off set the Address Pool to none in your hotspot server configuration.
by Feklar
Wed May 06, 2015 6:40 pm
Forum: General
Topic: routing "problem"
Replies: 3
Views: 568

Re: routing "problem"

Since Bob and Alice and the two routers are on the same layer2 segment, no you have no way of preventing her from changing her IP settings and selecting to use that as the default gateway. You have no way of controlling what users decide to do with their computers. Why do you need two CCR's? Each in...
by Feklar
Tue May 05, 2015 9:36 pm
Forum: Scripting
Topic: Mikrotik-Total-Limit
Replies: 1
Views: 780

Re: Mikrotik-Total-Limit

I believe that you need to set the Interim update in hotspot server profile to be able to use that particular attribute.
by Feklar
Tue May 05, 2015 9:26 pm
Forum: Scripting
Topic: Any one konws how to mark http protocol?
Replies: 1
Views: 549

Re: Any one konws how to mark http protocol?

http://l7-filter.sourceforge.net/protocols
/ip firewall layer7-protocol
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
by Feklar
Mon Apr 27, 2015 9:09 pm
Forum: General
Topic: Transparent ARP bridge
Replies: 4
Views: 1115

Re: Transparent ARP bridge

Thanks for your reply, I also can see all the devices, but the problem is that they don't see each other. I talked to support and they said that with arp=enabled it should be transparent but maybe because of the hotspot it is not transparent. However, they didn't give me a solution, ¿anyone knows h...