Community discussions

Search found 47 matches

by djmuk
Thu Jun 28, 2018 11:38 am
Forum: General
Topic: xFlow & NAT - wrong destination address
Replies: 1
Views: 189

Re: xFlow & NAT - wrong destination address

OK after further testing - this is a REGRESSION. Netflow 5 works as expected - top conversations shows internal IP address and external site address as endpoints in conversation: 1. [52.97.130.2] 443 PC-5 (192.168.22.100) 53335 6 203 MByte IPFIX and Netflow 9 show the external addess of the router a...
by djmuk
Wed Jun 27, 2018 7:42 pm
Forum: Beginner Basics
Topic: Use other router for DHCP
Replies: 4
Views: 390

Re: Use other router for DHCP

Quick & dirty solution - disable DHCP scope so the mikrotik isn't giving out Ip addresses. plug virgin router into a port other than ether 1 - this will connect the virgin router to the 'LAN' side of the mikrotik. Once this is working use winbox in MAC mode to connect to the mikrotik: give the bridg...
by djmuk
Tue Jun 26, 2018 12:29 pm
Forum: General
Topic: xFlow & NAT - wrong destination address
Replies: 1
Views: 189

xFlow & NAT - wrong destination address

I have a RB2011 v6.40.4. this is configured with an internal DATA bridge (ports 3-10) and a WAN bridge (ports 1,2) (with IP DHCP client) with masquerade NAT onto the WAN bridge. ether 3 and 6 are set as master ports with ports 5,6 ->ether 3 and ports 7-10 ->ether 6 I have set up a Trafficflow monito...
by djmuk
Thu Mar 29, 2018 11:41 am
Forum: Announcements
Topic: Urgent security advisory
Replies: 110
Views: 76192

Re: Urgent security advisory

I'm intrigued - those posts look like you're running ps on the mikrotik - hos do you get a 'proper' shell / bash connection? Or are they grabs from something like a sysinfo file? David Hi again, We have a bunch of Mikrotiks with OS version higher than vulnerable one but all of them are still infecte...
by djmuk
Mon Sep 07, 2015 12:53 pm
Forum: General
Topic: OpenVPN doesn't work after client update.
Replies: 3
Views: 5134

Re: OpenVPN doesn't work after client update.

Any chance this could be added to the Wiki on the OVPN page. Something like:
"As of 2015 many Android (and possibly other) clients default to incompatible tls cipher suites.
Add the following line to the CLIENT config:
tls-cipher DEFAULT
"
by djmuk
Thu Apr 10, 2014 5:12 pm
Forum: General
Topic: CRS MIrroring woes
Replies: 3
Views: 1106

Re: CRS MIrroring woes

Running 6.11 - or is there a secret version that works?

David
by djmuk
Thu Apr 10, 2014 5:11 pm
Forum: General
Topic: [WINBOX] MultiTab
Replies: 19
Views: 3188

Re: [WINBOX] MultiTab

Windows management buttons on the windows in winbox so they can be minimised - finding a window that has gone behind the others is a PAIN...

NO to Tabs unless they can be 'ripped' into separate windows (a'la chrome) - If I am Comparing 2 devices I want them side by side...
by djmuk
Wed Apr 09, 2014 10:07 pm
Forum: General
Topic: CRS MIrroring woes
Replies: 3
Views: 1106

CRS MIrroring woes

I cannot get port mirroring to work on a CRS125-24G-1S. Quite simple - I have port 23 as a standalone port (NO master configured) connected to a bridge (it is running a hotspot) and port 24 as a standalone (NO master) port for the analyser. I have configured both via CLI and GUI with: /interface eth...
by djmuk
Sun Jun 23, 2013 1:13 am
Forum: General
Topic: How to isolate two networks
Replies: 10
Views: 4507

Re: How to isolate two networks

if you block all traffic in range 192.168.1.0/24 then you will not be able to reach gateway also and have you tested the rule i have posted?? The only time that would be a problem is if you wanted the users to access the gateway web interface - Only the MAC address is replaced in the packets when t...
by djmuk
Mon Jun 17, 2013 10:00 pm
Forum: General
Topic: How to isolate two networks
Replies: 10
Views: 4507

Re: How to isolate two networks

Those rules are the wrong way round they drop traffic that is NOT to 192.168.1.0/24 (!192.168.1.0/24). You EITHER want to forward traffic not to 192.168.1.0/24 (which will be !192.168.1.0/24) or DROP traffic to that Range - in which case the address should be 192.168.1.0/24 (without the !) so remove...
by djmuk
Mon Jun 17, 2013 8:53 pm
Forum: General
Topic: How to isolate two networks
Replies: 10
Views: 4507

Re: How to isolate two networks

For traffic from 192.168.88.0/24 BLOCK access to 192.168.1.0/24 (firewall action drop).
Set MT default gateway to router (192.168.1.1).
by djmuk
Sun Jun 16, 2013 11:57 pm
Forum: General
Topic: Consultant needed for ptp link review
Replies: 1
Views: 474

Re: Consultant needed for ptp link review

What ack timeout do you have set?
by djmuk
Sun Jun 16, 2013 11:32 pm
Forum: General
Topic: Export broken?
Replies: 1
Views: 518

Export broken?

I am writing some scripts & Scheduler tasks to do backups of the config. I tested them on one RB and then did an export of the script and scheduler config so I could paste it into the console on the other boards. The export seems to be broken - it splits lines arbitrarily (for example in the middle ...
by djmuk
Thu May 24, 2012 12:27 pm
Forum: General
Topic: Bandwidth test - undocumented switches
Replies: 3
Views: 1129

Re: Bandwidth test - undocumented switches

never mind the script - at present I just want it to work from the CLI... This works OK: [ROS] > /tool bandwidth-test 192.168.42.11 direction=transmit duration=10s protocol=udp status: done testing duration: 10s tx-current: 20.5Mbps tx-10-second-average: 17.8Mbps tx-total-average: 17.8Mbps random-da...
by djmuk
Wed May 23, 2012 11:35 pm
Forum: General
Topic: Bandwidth test - undocumented switches
Replies: 3
Views: 1129

Bandwidth test - undocumented switches

I am trying to set up a script to run a bandwidth test but can't get it to log the output to a file. The entry in the wiki seems to be out of date as it doesn't list all the available options. The following options are listed in the CLI but not in the Wiki append -- as-value -- do -- file -- once --...
by djmuk
Wed May 09, 2012 11:31 am
Forum: General
Topic: Yet another licensing question...
Replies: 4
Views: 395

Re: Yet another licensing question...

That IS awesome! On some units when I click on update licence key I get 'invalid key' - I tried a unit this morning (that had failed yesterday) and it updated... Is this a 'glitch'? Ah - think I just realised - the failing ones are on 3.6 and doesn't it need to be 3.25 to recognise the new key forma...
by djmuk
Tue May 08, 2012 5:02 pm
Forum: General
Topic: Yet another licensing question...
Replies: 4
Views: 395

Yet another licensing question...

I just updated the licence key on a 3.31 Level 4 box and it is now saying upgradeable to V6.x... Is that right - I am not complaining just wanting to check! I know that updating the key should get me an upgrade to V4.x but do I then get +2 versions as well?

David
by djmuk
Thu Mar 01, 2012 9:17 pm
Forum: Virtualization
Topic: Metarouter images
Replies: 363
Views: 220587

Re: Metarouter images

Thanks for doing that - I grabbed the trunk down to that commit and successfully did a build & put faifa in the kernel & it all works on the 750GL I'm using! It is also a much smaller kernel as I didn't put a lot of modules in there. I think it was the compile fail that threw me off using trunk - is...
by djmuk
Thu Mar 01, 2012 1:24 am
Forum: Virtualization
Topic: Metarouter images
Replies: 363
Views: 220587

Re: Metarouter images

Guys you have saved my sanity! I have been trying to get a metarouter image compiled for the last 3 days without success. Build against 8.09 fails to complete, build against backfire or trunk completes but the code crashes with kernel alignment error... I found this thread but didn't read to the end...
by djmuk
Sun Feb 26, 2012 11:11 pm
Forum: General
Topic: Migrating to Router on a stick
Replies: 2
Views: 798

Re: Migrating to Router on a stick

Well as one of your VLAN's will have to be the untagged (default) Vlan I would leave everything on the default, set up the VLAN interfaces on the router with IP addresses, DHCP etc, then move one port to the new VLAN (IE set the untagged VLAN on that port to the new VLAN) connect your PC to it and c...
by djmuk
Thu Dec 01, 2011 10:16 pm
Forum: General
Topic: Cannot alter default config V5.2
Replies: 1
Views: 587

Re: Cannot alter default config V5.2

Duh - said it was a dumb question...

For some reason the MAC connection dropped randomly, was uploading new 5.9 & it dropped so once I set an usable IP (actually DHCP Client on LAn ports) then I could connect & amend firewall settings & then connect on Wan port..


David
:oops:
by djmuk
Thu Dec 01, 2011 10:00 pm
Forum: General
Topic: Cannot alter default config V5.2
Replies: 1
Views: 587

Cannot alter default config V5.2

Not sure if I am being really dumb here... I have a new RB750GL, powered it up & connected via winbox on default 192.168.88.1 (actually via MAC). I wanted to allow management via Ether1 (gateway port) so went into ip firewall & changed drop rule on ether 1 to accept. I then got 'router disconnected'...
by djmuk
Fri Jul 08, 2011 12:44 am
Forum: General
Topic: Winbox settings / config file
Replies: 3
Views: 1814

Re: Winbox settings / config file

Hmmm edit the code in memory & then execute it - MESSY! Have worked around issue by setting up shortcuts for each router with address / user / pwd on command line. But would seem a simple change to the program to add the option of a command line path for the config file - with a "file not found - cr...
by djmuk
Wed Jul 06, 2011 11:18 pm
Forum: General
Topic: NTP Client
Replies: 16
Views: 2100

Re: NTP Client

OK now I see...

Looks like the NTP server being used might be 'dead' - as suggested earlier try another pair from pool.ntp.org - if you use nslookup you should get the list of servers...

David
by djmuk
Wed Jul 06, 2011 9:31 pm
Forum: General
Topic: NTP Client
Replies: 16
Views: 2100

Re: NTP Client

I don't know the details of how bigpond is set up but the address / network on the bigpond interface looks 'wrong' - Normally the address wouldn't be a /32 but /29 or lower and the network would tally with the interface IP address. Can't you use DHCP on the internet facing address? Can users on the ...
by djmuk
Wed Jul 06, 2011 9:23 pm
Forum: General
Topic: Block Teamviewer
Replies: 16
Views: 15720

Re: Block Teamviewer

If it is against company policy then you don't want to block it - you want to log it, present it to HR and discipline the culprit. a couple of high profile roastings or even dismissals for a 2nd offence will solve the problem... Trying to enforce policy through blocking or other technical means is a...
by djmuk
Wed Jul 06, 2011 9:15 pm
Forum: General
Topic: Winbox settings / config file
Replies: 3
Views: 1814

Winbox settings / config file

is it possible to use multiple sets of 'saved' settings with winbox (yes I know I can import/export but that is a PITA) EG can I give winbox a command line parameter so it uses a specific file/location to store the saved router details, then I can have different shortcuts pointing at different confi...
by djmuk
Tue Jul 06, 2010 7:02 pm
Forum: General
Topic: 'Boilerplate' configs
Replies: 8
Views: 667

Re: 'Boilerplate' configs

Well I would expect to at least be able to restore a backup onto the same model of router - otherwise the backup is not a lot of use.. "Oh my box has blown up oh & by the way the backup is useless as well...". Especially as it is a binary file so you can't even 'read' it to get the config details ou...
by djmuk
Tue Jul 06, 2010 4:29 pm
Forum: General
Topic: 'Boilerplate' configs
Replies: 8
Views: 667

Re: 'Boilerplate' configs

Well to make the config I went to the top level (/) on the terminal window & typed export <filename> so it should contain all config. I assumed the order in the output would be the 'correct' order to enter the config commands but that may not be the case I suppose! Interestingly when I pasted the co...
by djmuk
Tue Jul 06, 2010 2:58 pm
Forum: General
Topic: 'Boilerplate' configs
Replies: 8
Views: 667

'Boilerplate' configs

I want to set up a 'boilerplate' (template) config file that I can use as a base for configuring new units. I have saved off the config from the first unit to my PC. I edited the file to remove the mac addresses from the interface config lines. I copied the template to the new unit I 'imported' the ...
by djmuk
Sun Jun 06, 2010 3:24 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Wi-Spy / Spectool
Replies: 2
Views: 872

Re: Wi-Spy / Spectool

hmmm - well it's a start and I might have a play with it - once I upgrade..!

but certainly doesn't compete with the wi-spy yet!

David
by djmuk
Sun Jun 06, 2010 12:20 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Wi-Spy / Spectool
Replies: 2
Views: 872

Wi-Spy / Spectool

I need to create a remote wi-spy 'drone' to track down some interference - it needs to be weatherproof as I want to stick it on a pole! Also I am pretty sure the interference is non-802.11... Is it possible to run the wi-spy remote software (or the spectools package) on a routerboard? Or is it possi...
by djmuk
Thu Apr 29, 2010 1:37 am
Forum: General
Topic: Syslog source address not working?
Replies: 5
Views: 864

Re: Syslog source address not working?

OK good call - I needed to exempt the traffic to 10.55.12.0/24 from the NAT rule...

All working OK now!!

Thanks

David
by djmuk
Thu Apr 29, 2010 1:28 am
Forum: General
Topic: Syslog source address not working?
Replies: 5
Views: 864

Re: Syslog source address not working?

Nat rules are simple - Nat 192.168.42.0/24 to the internet interface address. (also nat another subnet 192.168.43.0/24 to the same address) this traffic is not Nat'd and shouldn't be.... It should be caught by the IPSEC VPN before it gets nat'd, other devices on 192.168.42.0 work correctly & I can a...
by djmuk
Thu Apr 29, 2010 1:14 am
Forum: General
Topic: Syslog source address not working?
Replies: 5
Views: 864

Re: Syslog source address not working?

There is only NAT for the internal Clients out to the internet. Do you mean I should have NAT rules? How do I specify the source address - this is traffic originated internally to the ROS box so it's source address will vary according to the route it takes out of the box - which is what I am trying ...
by djmuk
Mon Apr 26, 2010 9:10 pm
Forum: General
Topic: Syslog source address not working?
Replies: 5
Views: 864

Syslog source address not working?

I am trying to log to a remote syslog server over a VPN. So I set up the remote syslog action & specify a source address of 192.168.42.1 (the LAN IP of the ROS board) which is part of the VPN tunneled range (192.168.42.0/23). However the Syslog entries don't arrive. using the Packet Sniffer on the R...
by djmuk
Wed Mar 31, 2010 6:38 pm
Forum: General
Topic: How to? Prevent Bridge MAC address changing
Replies: 8
Views: 10995

Re: How to? Prevent Bridge MAC address changing

That was my next question - do I use an interface MAC address or not. From similar usages on other kit it is usual that the interface HAS to be 'up' if you are re-using the MAC address so I assume it is the same on ROS. IIRC the locally administered MAC address range has a bit set at the high order ...
by djmuk
Wed Mar 31, 2010 5:41 pm
Forum: General
Topic: How to? Prevent Bridge MAC address changing
Replies: 8
Views: 10995

Re: How to? Prevent Bridge MAC address changing

Duh - how did I not see those (although the integrated help in winbox does go to the 'old' PDF manuals...)

Ok so admin-mac=0's and auto-mac=no so that's why it won't play!

David
by djmuk
Wed Mar 31, 2010 5:29 pm
Forum: General
Topic: How to? Prevent Bridge MAC address changing
Replies: 8
Views: 10995

How to? Prevent Bridge MAC address changing

I have a couple of devices where the active MAC address changes (which breaks the hotspot bypass setup so I can't manage them!). This is happening when the WLAN interface comes up because a client has connected - because the newly active WLAN has a lower MAC address than the current bridge MAC addre...
by djmuk
Fri Mar 12, 2010 10:58 pm
Forum: General
Topic: IP oops - mac-telnet won't work
Replies: 1
Views: 906

IP oops - mac-telnet won't work

I put a pre-configured RB onto a remote network today. When I get back to the office I find that it will ONLY talk to the local network (no routing at all). It had a static address and a DHCP client on the bridge interface & I could talk to it on the DHCP address but not the static. Anyway to cut a ...
by djmuk
Fri Feb 26, 2010 11:33 pm
Forum: General
Topic: Hotspot authentication - Mac NAT/hiding
Replies: 6
Views: 1258

Re: Hotspot authentication - Mac NAT/hiding

Thanks - that is what I was expecting & I am bypassing by IP address only (not including the MAC)..

Will this change if I go over to radius authentication?

David
by djmuk
Fri Feb 19, 2010 12:58 am
Forum: General
Topic: Problems with DNS for www.google.com
Replies: 173
Views: 39058

Re: Problems with DNS for www.google.com

Hey guys can we move the argument to a new thread and get on with working out what is happening and fixing the problem... I'll use whatever's to hand & yes I have a windows XP box running bind... I have an install with the same problem, What I did notice was: my dns servers are resolver1.opendns.com...
by djmuk
Wed Feb 10, 2010 10:27 pm
Forum: General
Topic: Hotspot authentication - Mac NAT/hiding
Replies: 6
Views: 1258

Re: Hotspot authentication - Mac NAT/hiding

That is exactly the behaviour I DON'T want.....

effectively the question is - when using radius login is it the IP address or the MAC that is authenticated? Even worse - if I bypass the IP address for the bridge will that then bypass the users behind it as well.....?

David
by djmuk
Wed Feb 10, 2010 10:25 pm
Forum: General
Topic: IPSEC Vpn wrinkle
Replies: 1
Views: 613

IPSEC Vpn wrinkle

I have set up VPN's from my cisco router to the RouterOS box. Because I want to access each of the 3 separate IP networks on the ROS box I had to set up 3 sets of address matching ACLs (policies in ROS world). It wasn't working well as the first VPN to establish would work OK but then the next one w...
by djmuk
Sun Feb 07, 2010 9:24 pm
Forum: General
Topic: Hotspot authentication - Mac NAT/hiding
Replies: 6
Views: 1258

Hotspot authentication - Mac NAT/hiding

What happens with a hotspot if you have users behind a (standard) wireless client where the wireless client 'MAC NAT' translates all the traffic to it's own MAC address? Does the hotspot still require each IP to be authenticated (So I just need to allow multiple IPs per MAC) or is the authentication...
by djmuk
Tue Jan 19, 2010 12:03 pm
Forum: The Dude
Topic: Discovery problems
Replies: 1
Views: 719

Re: Discovery problems

Hmm even more strange... I installed dude on my main machine (which is connected to the network over a VPN & ADSL connection so has quite high round trip latency) and it discovered the network without any issues so it must be something on the network management machine. What are the dependencies for...
by djmuk
Mon Jan 18, 2010 9:01 pm
Forum: The Dude
Topic: Discovery problems
Replies: 1
Views: 719

Discovery problems

I have just installed the Dude to play with (I haven't any mikrotik units - yet!) but I am having trouble getting discovery to find all the units on the network. I have a variety of units most of which talk snmp and http, some are Http on port 8080, some are telnet / ping only... Dude only finds a f...