MikroTik

NetWorker

That'll take a lot more redacting including e-mail addresses in scripts and whatnot. I don't think I'll have the time for it this week. I'll see what I can do.

NetWorker

Quick and dirty: [admin@rb3011.mainoffice] > ip fire mang print Flags: X - disabled, I - invalid; D - dynamic 0 ;;; local traffic chain=prerouting action=accept dst-address=10.0.0.0/8 log=no log-prefix="" 1 ;;; local traffic chain=prerouting action=accept dst-address=172.20.0.0/24 log=no l...

NetWorker

Update: instead of questioning everything I know about mangle, connection tagging and whatnot, I think I'm gonna go with Wireguard implementation as an explanation for this one. If I mark connection as mentioned above, the reply comes out in a new connection with no mark. If I mark that new connecti...

NetWorker

add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 \ passthrough=yes new-connection-mark=viaWAN2 add action=mark-routing chain=output connection-mark=viaWAN2 passthrough=no \ new-routing-mark=preferWAN2 Hi anav! Thanks for the quick reply. Yeah, that's the way I...

NetWorker

Hey everyone! So I have the following issue. I recently upgraded a client's VPN from IPsec to Wireguard and seen major improvements. Main office is on two internet connections, one with a static, one with a dynamic IP. Branch offices are on dynamic IPs. Main office: ISP1 - Dynamic 100/30 mbs ISP2 - ...

NetWorker

Hey everyone and sorry of reviving an old thread. I had a couple of glitches with different clients related to load balancing in the past few months. The short term solutions for those glitches was to work around them, assigning a particular WAN to certain traffic that was misbehaving. But since the...

NetWorker

Check Network Type between routers, because depending on the type of network they exchange LSA but do not set up a route table. I just updated one of our remote offices from 6.48 to 7.4 and I had some adjustments to do. No surprise there, I already had to do them on some of our other routers after ...

NetWorker

Hey y'all!! Yesterday we went online with a new ISP over a symmetric GPON line at our main office (finally catching up to 2015 era tech rofl). Anyway, our VPN issues are now solved. Our DSL line ISP was the culprit. I still can't pinpoint the problem but issues with their pppoe server or router comi...

NetWorker

Hey, mikegleasonjr! No, I haven't found a solution to it. I managed to reduce full backup size so that they take about 30 hours. Given that I only do full backups every other week, daily backups are incrementals taking short of an hour to upload and that I've already sunk several workdays into this,...

NetWorker

Well, this week I disabled the IPSec and L2TP tunnel. I didn't suspect it to be the culprit but just to rule it out. So I went with an IPIP tunnel with no encryption (MSS clamp to PTMU=yes) and had the same results. UDP 10 mbps, multistream TCP 10 mbps, single stream TCP 2.4 mbps, single stream TCP ...

NetWorker

It depends on which load balancing scheme and firewall rules you intend to implement. But if I read this right you want to load balance and route 2 gbps+ simultaneously. You'll need to get at least an RB4011, probably a CCR if you don't want to bottleneck your line speeds. It also comes down to you ...

NetWorker

Ok, so I'm back. First of all, I thought to set MSS to a fixed value to be a big no-no. That one should set MTU and MRU to fixed values so as not to fragment and leave MSS be. Further I didn't quite grasp what you meant by terminating the tcp session at the endpoints. We're talking traffic generated...

NetWorker

Thanks for replying bpwl! I've been reading up on TCP congestion control. Cool stuff! Never occured to me the amount of engineering that goes into a protocol we take for granted. I do have a couple of remarks and a couple of questions though. - The issue persists when only two devices are involved: ...

NetWorker

I recall something about all "services" like pptp in routeros always use the main table, regardless what the "source ip" is set to. So you have to route in the main table and can't use mangle rules.

NetWorker

Quick and dirty solution that I'd expect to work would be to mirror the physical ports on the second switch. Though loloski's solution should work too and is much cleaner. =)

NetWorker

My first tip is for you to ditch PPTP. Use SSTP, OVPN or L2TP over IPSec.

As to the issue at hand, you'll need to post your routing and mangle rules. Though it'll essentially boil down to one of your routing rules not being applied and therefore your traffic being routed to the default gateway.

NetWorker

I agree with anav that what you're asking isn't abundantly clear. But I understood is as follows. You have an internal subnet and you want to route to and from that network to ISP2. If that's the case, I think you're way overthinking this. Just add mangle rules before those that do your load balanci...

NetWorker

I had this requierement too and solved it as follows: I used L2TP on top of IPSec so as to have interfaces, not just policies. This in turn allowed me to use OSPF. But you can also do this with static routes. Else you can use GRE or IPIP if all your public addresses are static. Just add a route to e...

NetWorker

Hey everyone, I’ve got a VPN issue that I can’t figure out. You can skip the background description if you wish. Background: - Main office: Mikrotik RB3011, 30/10 mbps (down/up) on VDSL, Win2008r2 filserver - Remote office: Mikrotik RB2011uias, 10/10 mbps on 3 hop wireless uplink to fiber, Win2016 f...

NetWorker

Hi all, I came across a situation where I needed to add a routing rule for a domain name that's bound to a dynamic IP address. So I wrote a very short, easy script and thought I'd share. Hope this saves you time/work if you're in the need for something similar. # Routing rules for dynamic IP address...

NetWorker

Right on, thanks again!

NetWorker

If you want to test and fallback to the previous config you can always use safe mode. Safe mode was hit and miss for a long time. I think it's fixed now but a safe mode that isn't safe is not something I'm willing to trust. I therefore never make changes that might lock me out unless I have a way t...

NetWorker

Alright, so I had a couple of hours to kill yesterday and decided to look into this. First of all, I got it working! Read on to find out how. After your comment emils I set "send initial contact" to no on both client and server (not sure if you meant client and server or both peers in the ...

NetWorker

Thanks for replying emils. I'll try setting initial contact to no. Also, I generally use mangle for everything but I tried to simplify the setup on this one by setting the "local address" for each peer. This way each connection was going out over the correct interface. Or at least that's w...

NetWorker

Anyone?

Edit: update, SAs remain intalled on the central office router (3011) until they time out; in fact several of them for the same IP pair (right now three for one IP pair and two for the other). On the remote router they are removed as soon as one connection replaces the other as stated above.

NetWorker

So we have a central 3011 with a couple of remote offices with 2011s connecting to it via L2TP over IPsec. At one of the remote offices we have two natted conections. We also have two connections at the main office. The idea is to have the remote router establish two connections with different metri...

NetWorker

Are you sure it's not a DNS issue? Did you try setting DNS manually on the PC to see if that makes a difference? From your route trace it apperas the connection is fine as you can ping your modem from behind the mikrotik without issues. Ping times to your ISPs router to the pipe are rather high but ...

NetWorker

Lol, right.

I disabled my old rules yesterday and asked everyone that reported issues with encrypted websites to check those they usually work with and so far so good.

NetWorker

Yes, it is possible. RouterOS is not going to be a limitation and CPU power in a Hex is plenty for distributing those 8 mbps.

Just use queues and separate the interfaces from the switch chip.

NetWorker

Check your DNS setup. Make sure /ip dns is setup correctly and that /ip dhcp-server is passing on the correct addresses for dns to clients.

NetWorker

Update: here's what I ended up with. ;;; mark https ISP1 chain=prerouting action=mark-connection new-connection-mark=ISP1 passthrough=yes connection-state=new protocol=tcp connection-mark=no-mark dst-port=443 per-connection-classifier=both-addresses:3/0 log=no log-prefix="" ;;; mark https ...

NetWorker

Gotcha. Never realized it works exactly the same as nth only with the added benefit of the PCC field. I'll set it up and see if the screams coming out of the accounting the department get any louder lol.

NetWorker

Hey Sob, thanks for replying. The one sentence that put me off from using PCC in the first place was that at the very beginning it reads "PCC matcher will allow you to divide traffic into equal streams". Since there's nothing symmetric about our links (different bandwidth) or traffic (requ...

NetWorker

Hi all, we've been using mangle and nth (connection marks+routing marks) with great success over the years. This makes perfect use of our two ISP lines (cable+DSL) and assymetrically distributes the traffic (3 to 1) as they're of different bandwidth. Now TLS 1.3 comes along and many TLS hosts check ...

NetWorker

So far in the last 10 years using Mikrotiks I've always been positive about which device I was connecting to. Therefore I've never bothered to check the fingerprint. Today for the first time I'm going through another company's network rather than our own and I'm not 100% sure if I'm reaching our dev...

NetWorker

@xbliss, performance varies A LOT with different rules and setups. There used to be no numbers at all since it can vary so much. For example the charts are published for zero or 25 ip filter rules. However the load on the cpu is not linear and you can't really extrapolate and say "ok, so 13 rul...

NetWorker

As SoB said, it's hard to suggest a solution without knowing how you setup the load balancing. But if you used mangle to mark the nth connections, simply put a rule before that one that either accepts or marks the connections coming from the l2tp interface or it's subnet.

NetWorker

Thanks, I needed a laugh. If you shilled any harder I would've fell on to the floor laughing. Hey, I'm all for smiles and grins but after looking up shill in the dictionary I can honestly say that that wasn't the intention of my post. Yes, I posted in a "take it or leave it" sorta way but...

NetWorker

I just want to let everyone know, that v7 is progressing pretty good this year, and most core functionality is usable. Some more difficult parts need to be done and we can release a public beta. Koala Pic ROFL Keyko, you made my day. To be honest I too have been waiting on a few v7 features but hav...

NetWorker

Lol, that makes sense. Thanks again! I'll post back if we decide to give it a shot. Right now we're leaning towards a different setup.

NetWorker

Brochure says max battery charging current is 1A ... so it'll take ages to charge that "massive" 18Ah battery when fully discharged even if power adapter used is powerful enough. Other than that, 18Ah battery should be fine. Thanks for replying mkx. Actually, I have another question relat...

NetWorker

Sorry for reviving an old thread (though it isn't that old! lol). I've been unable to find any comments on battery size. I know it'll take 7 and 12 Ah batteries. But any thoughts on going to 18 Ah? I realize it's a bit on the high side but we're looking at getting a bit longer run times at a low wat...

NetWorker

Agreed. Though it did save me twice on a rb2011 that went into a boot loop. Reinstalling routerOS over serial and then restoring the backup file was easier than having to import all the certificates and a few other things that are not in the compact again. It's not that you can't do it but it does s...

NetWorker

well what use is the build-in scripting and a linux box that pulls the backup from the router and stores it on a nas.
quick & dirty solution , but this allows me to make a backup for example from a rb2011 and restore it on a hapac2

Exactly!

NetWorker

Glad to help! Didn't read all your code since the Mrs. is nagging to go to bed lol. But I still find you're missing the default gateways? Unless you have something else in mind? Anyway, I posted an interface watchdog script a couple of years ago that would reset an interface since we were having iss...

NetWorker

It does indeed sound like a permissions issue. i don't know what you mean by "everywhere else", I assume you mean "don't-require-permissions"? Check again that it is indeed set to yes. However it's always best to just enable the required permissions. For my backup script I use po...

NetWorker

Awesome! Glad I could help.

NetWorker

Oh and in case anyone's wondering about all the picks, the system date comes back with / (slashes) which you can't use in a filename so I replace those with . (dots).

NetWorker

Hi everyone, a couple of weeks ago I became aware that years of routerOS backups all nice and tidily organized in one of our backup servers are USESLESS if an older router goes belly up. Read all about it here . Long story short, in case you're blissfully unaware like I was that using the winbox bac...

NetWorker

Glad you got it working!

NetWorker

There are two ways to go about doing that. One, you put the scheduled task and enable/disable it as needed. The other, you create and remove it each time. This is the task you need. /system scheduler add name=dwnFlagCleaner start-time=startup interval=60m on-event=dwnFlagCleaner Either add it and di...

NetWorker

Lol I haven't played a lot of online games in recent years. Actually I've never played a lot of online games after Team Fortress 2 and the original Counter Strike. Recently became a dad so don't have much time for gaming anymore. =) Anyway, your numbers sound about right. Online gaming has always be...

NetWorker

can route 980 Mbps with 25 firewall rules and 512 bytes packet size. 512 bytes are fairly large packets. Most packets are a lot smaller than that. A lot of acks, etc. So the number you should look at is the one on the right, for 64 bytes. Mainly for two reasons, first it kinda provides a worst case...

NetWorker

Wow, that's news for me. I hadn't read that bit. Cool stuff. Right, so for question number two, did you try using the hostname variable? I know not all devices report host name correctly. Other than that, if you are indeed using static leases you could try to comment each lease and using the MAC, re...

NetWorker

- by using a ping check of a remote system, you make the usability of the link dependent on the availability of the remote system. when it is down, your ISP link will be declared down even when it really isn't. remember that the remote system may decide that it had enough of the pings and just bloc...

NetWorker

Lol, right. But what about this:

global telegramMessage "$leaseActMAC connected as guest and received $leaseActIP address."

How are you setting those variables?

NetWorker

I've never setup a hotspot but have you tried changing the www service port from 80 to whatever? I don't have the hotspot package installed on any of my routers so I can't check but afaik hotspot and webfig are different services so changing the www service port shouldn't affect the hotspot portal?

NetWorker

Balancing close to 30 mbps upload shouldn't be a problem for that router. But if anyone decides to starts to download at anything close to max download speeds you posted, you'll need to move into the CCR range so make sure you cap download speeds. Unless those are indeed mB/s and not mbps in which c...

NetWorker

Forgot to point out two things. First was already covered by pe1chl. If you only ping the gateway and there's a problem further down the line in the ISP, those routes will stay up but you'll drop all the traffic. I.e. the failover won't happen. More complex checking schemes will require scripts. Sec...

NetWorker

Not quite. You either do it with mangle or with routing rules as pe1chl suggested. Also, you're missing the default gateways. /ip route #first add the default gateways with distance for failover add dst-address=0.0.0.0/0 gateway=10.0.1.1 distance=1 check-gateway=ping add dst-address=0.0.0.0/0 gatewa...

NetWorker

Alright, sorry for not getting back to you sooner. First of all, you haven't shown me how you parse the MAC which is what interests me from the other script. I apologize for not making that clear. In any case, I always recommend (and to the best of my knowledge so does Mikrotik) keeping all scripts ...

NetWorker

Awesome. Do check your cabling though. This might be the reason why it's not negotiating 10G and why you're not nearer to the actual 10G mark.

NetWorker

Found it! MSS can be changed in the profile. Turns out the option "Change TCP MSS" was set to no. When set to yes TLS started working again. Also, even with MTU at 1492 it works a lot better than before. I'm guessing that's because browsers were doing a lot of path discoveries which oddly ...

NetWorker

Have you checked that autonegotiation actually went for 10G? Did you try forcing it to 10G? Have you checked CPU load during your bandwith tests?

NetWorker

Hey everyone! We've recently been having increasing issues with some webpages not being displayed correctly or not loading at all. Long story short, I've tracked it down to being pages that have upgraded to newer versions of TLS. Haven't checked if 1.3 only or also 1.2. And only when going over our ...

NetWorker

Wouldn't it be more logical to check for number of items?
Code: Select all
:log info [:len [/ip ipsec installed-sa find]];
And then compare if it's zero or more.

*Facepalm*

Thanks sob!

NetWorker

You didn't mention how you're triggering the lease script so I can't answer your first question. But in case you're triggering from the dhcp-server, you could just check if said mac address is still registered and if it isn't not to run the telegram script. That way it will only notify of the new le...

NetWorker

So I want to wite a script that checks if an item exists and performs an action if it doesn't. Specifically, we want to check if ipsec is connected and if it isn't disable the l2tp interface so it doesn't endlessly pollute the log with reconnection attempts. -----Background info----- We have a 2 rou...

NetWorker

Yeah, I realized that from the above. I mean I was a happy camper with my regular backups, all nice and tidy, indexed by date and name, safely stored on the server. So if a router goes up in flames I got exactly squat. Nice.......

NetWorker

Backups are only valid for a given device with a given RouterOS and firmware versions. Backups are not intended for setup replication. I apologize for reviving an old thread and quoting a 4 year old post but like gator, I was just *shocked* by this statement. WHAT??? We have a few routers running i...

NetWorker

My first guess would be the phone and or cell spectrum/backhaul. Did you check the phone with a PC at the same time you were getting these results? How much throughput did you get with that setup? It's pretty common to see dismal download rates and high upload rates at times in highly congested cell...

NetWorker

Dunno if you solved this and I stand to be corrected but here's what I'm thinking: You have 2 interfaces: eth5 and eth9. On eth5 you have 1.1.1.1 and on eth9 a server with 2.2.2.1 (with gateway 1.1.1.1) but no IP on the router ethernet interface. This setup won't work because router has no IP connec...

NetWorker

Well folks, I managed to crack it. For whatever reason the "designer" (if we can call the schmuck who designed this marvellous piece of... erm... tech, that) decided that always doing an ARP request, no matter what the destination IP address is, is a good idea. I'm guessing they did this t...

NetWorker

There are two kind of routes in the IP protocol: interface routes (or connected routes, that Mikrotik marks with a C when printing) gateway routes (that in classic route command are marked with a G ) The interface routes are where the ARP mechanism is used, to know which L2 host to address with pac...

NetWorker

- When a host wants to send a packet to an internet address, it will send the packet directly to the gateway. It will NOT do an arp lookup for that internet address. - You shouldn't see two DHCP discovers and two requests during a DHCP transaction, but not a big deal. Discover, Offer, Request, Ack....

NetWorker

I admittedly haven't read through all the code because I don't have a lot of time right now. But load balancing is all about mangle marking. First mark connections that are NOT to be load balanced. You can either do action=accept or use some other mark. For example DNS requests or specific addresses...

NetWorker

If the Alarm system has an IP statically set and it's not on the same subnet as statically set in the alarm system, then the alarm system will do ARP requests for the gateway that's statically set in the Alarm system. Since no device on your network will have that IP, you will only see ARP requests...

NetWorker

You're a bit off on ARP. On an Ethernet network, every device has a mac address. When packets get sent out over Ethernet, they are actually routed only by their mac address. Not IP address. Since your PC will connect to remote devices by IP, then it needs to find out who on the network has an IP as...

NetWorker

Hi all, Ihave a question about ARP: ---background---- At one of our remote offices we recently elected to have an alarm system installed. We have an RB2011 with dual wan running there. The alarm, which apparently is one of those Christopher Columbus brought with him back in 1493, is supposed to be i...

NetWorker

Guys, quick followup. The script won't read the previously run global variables if the policy policy is not set. So as it stands now, you need four of them for the script to behave: read, write, test and policy. I've edited the comment in the script to reflect this: # UPS-Script powerfail # (c) stei...

NetWorker

Hey yall! The UPS script on the wiki https://wiki.mikrotik.com/wiki/UPS_scripts seems to be a little outdated when it comes to the online/onbattery flag. On our APC SUA1000 attached to a RB750, the flag is called "on-line" instead of "on-battery": https://thumb.ibb.co/mOO245/Capt...

NetWorker

Well, we've moved past using 3g modems a couple of years ago. But are considering setting one up again as a backup connection since the site now also runs a server and some more critical traffic. On topic, I wanted to point out that we later moved from the USB dongles to a Sierra Wireless MC 8775 3g...

NetWorker

Holy cow, that looks incredibly complex to me. First of all, I'm assuming (you failed to clarify) you have a main connection and a backup and that you run ALL traffic through your main unless it fails. If this is the case: add two default routes 0.0.0.0/0 with distance 1 and 2. Set gateway of your m...

NetWorker

Quick update when using multiple reset counters. In the interface reset script I just used the global variable. But if you have multiple global variables, instead of editing the variable name everywhere in all the scripts, you can use a local variable and just change the name of the global at the be...

NetWorker

Guys, a word of caution. I've also been running this script for our VPN links now, since they tend to crash along with the pppoe client. That is, our dedicated lines stay up but ovpn connections over the DSL line crash. Anyways, long story short, the ovpn client drops the connection but doesn't try ...

NetWorker

intreset #Interface Reset #Feel free to use or modify as needed. #Hope this saves you work, trouble or time. #Regards, Networker. #The following script will reset the defined interface. It also checks the number of #resets performed. Past that number, the script will permanently disable said interf...

NetWorker

intwatchdog #Interface Watchdog #Feel free to use or modify as needed. #Hope this saves you work, trouble or time. #Regards, Networker. #This script will ping a remote address from a particular interface and its gateway. #This way, we don't bombard the remote host with icmp requests, and make sure ...

NetWorker

intctrreset #Interface counter reset #Feel free to use or modify as needed. #Hope this saves you work, trouble or time. #Regards, Networker. #This script defines and sets to zero the global variable that we will later use to define when #to disable the interface or reset the router as needed. #Note...

NetWorker

Time and again has it been brought up that the Netwatch tool should include a interface parameter as the ping tool does. I've been living without this feature but recently we've added a new ISP to our corporate network. We run a load balancing system with ping checking routes. Our dedicated lines ar...

NetWorker

Please export ip ssh. I telnetted in, but /ip ssh returned bad command. I thought, that's odd, it should be there even if it was failing, right? Then it hit me, I checked the installed packages and sure enough, the security package wasn't there. Looks like I accidentally didn't select it when uploa...

NetWorker

Hey all, I've searched around but haven't found anything related to a failing SSH service. I recently upgraded a RB750GL to 6.38.5 (also updated firmware to 3.33) from 6.35.4. I don't know if it was the update per se, all I know is that it was working before and now it isn't. I also applied a few mi...

NetWorker

Sorry DogHead, I'm all out of suggestions.

I tried this weekend the 9 second delay (9s being the highest value) with no results.

Also forgot to generate the support file.

Will do it next time.

NetWorker

Trying the same settings with a second RB 411U works without any problems! The same settings being the delay? How much did you use? I'd give as much delay as it takes the modem to blink once (you know, when it sees the network it blinks once, else it blinks twice in quick succession) plus 5 or 10 s...

NetWorker

Damn... Was hoping it'd work. I'll give it a try though jcem, to see if we get the same results. But like I said, I don't know when that's going to be. I'm burried with work and college and don't have time to make the trip (200 km). And no, it's not supposed to come back invalid with nothing attache...

NetWorker

Steve0, that's a great idea! I haven't been on site for about a month now, for which reason I haven't followed up on this. I'll give it a shot when I'm there again.

NetWorker

Oh... That's going to be a problem. The board is in a remote location and the only internet access is per GSM. Hence without the modem on the board, I have no way of providing access. I'd had to remove the whole thing from the tower and bring it in to the city... If you guys really need it, then I'l...

NetWorker

Are you using the latest RouterOS version? Thanks for the reply uldis. RouterOS version 4.4 Can you reproduce it almost every reboot? It's basically like this. Every time I shut it down and boot it up again, I have to reboot because the usb port shows invalid in red. After the reboot, everything is...

NetWorker

Hi all. I'll start off by saying that I'm new to Mikrotik and am already in love with you guys! I've setup my RB 411U with a Huawei E226 (like E220) 3G modem in no time and it works great. Except for one minor detail. Almost every time (I'd say 9 out of 10) I shutdown the router, disconnect the powe...

Search found 98 matches