Community discussions

Search found 34 matches

by markdutton
Thu Mar 14, 2019 2:10 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: LLDP
Replies: 124
Views: 39964

Re: LLDP

LLDP-MED, yes please else the use of the PoE switches is limited.
Agree 100%. It is a fundamental requirement in any enterprise switch.
by markdutton
Thu Mar 14, 2019 2:09 pm
Forum: Beginner Basics
Topic: Voice vlan and mikrotik
Replies: 3
Views: 399

Re: Voice vlan and mikrotik

You should enable DHCP VLAN on your phone: https://www.grandstream.com/sites/default/files/Resources/VLAN_Guide.pdf Or configure the VLAN manually. MikroTik does not currently support LLDP-MED which is necessary for communicating voice VLAN ID to phones. This normally isn't a huge problem since mos...
by markdutton
Tue Feb 12, 2019 8:08 am
Forum: Forwarding Protocols
Topic: OSPF advertising connected networks
Replies: 2
Views: 267

Re: OSPF advertising connected networks

Thanks Murmaider! That did it. I was trying previously to do a discard on 192.168.220.0/30, but I don't think it ever matched properly. Either that, or it was another connected route that was causing the problem. Putting in the explicit allow for the route I wanted to advertise followed by a discard...
by markdutton
Mon Feb 11, 2019 12:38 pm
Forum: Forwarding Protocols
Topic: OSPF advertising connected networks
Replies: 2
Views: 267

OSPF advertising connected networks

I know I am doing something really dumb here, but I am stuck and I need a hand. I create a backbone area between two routers using an IP tunnel (over IPSEC). For simplicity, the routers each have their local LAN interfaces, their Internet interfaces and their IP tunnel interface. I number the tunnel...
by markdutton
Wed Apr 25, 2018 10:43 am
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 144742

Re: Advisory: Vulnerability exploiting the Winbox port


You can access graphs within winbox - no need to use web access to them.
Yes but the graphs in Winbox are rubbish compared to the web ones with their time and throughput scales.
by markdutton
Wed Apr 25, 2018 4:17 am
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 144742

Re: Advisory: Vulnerability exploiting the Winbox port

This is the second advisory for this same port in as many weeks. Whilst we block it to the world we still feel compelled to update all our customers' routers. I hope this is not a sign of things to come. While I'm on my soapbox I'd like to suggest that graphs are moved off the web management port. T...
by markdutton
Thu Mar 09, 2017 4:34 am
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

You can limit the IP addresses for defined users. Just make sure that any user IDs that have anything more than read capability can log in only from the LAN side of the network. Yeah I know I can limit IP on the graphing, but what I would like to see is open to world graphing. From my understanding...
by markdutton
Thu Mar 09, 2017 3:04 am
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

Whilst we block most of our client routers from the Internet to all but our own IP address for management, there are some clients who want to have the graphs publicly available. I would like to see a separate port for graphing if possible so that this functionality can be available to anyone without...
by markdutton
Tue Jul 21, 2015 6:28 am
Forum: Wireless Networking
Topic: CapsMan wishlist
Replies: 0
Views: 418

CapsMan wishlist

Hi All I have just started trialing Capsman in a development environment. I have only scratched the surface, but these are on my wishlist now. - Auto tuning of an internal wireless network. Power levels and frequencies to ensure smooth transition between nodes. - A graphical heat map in Capsman (or ...
by markdutton
Tue Jul 21, 2015 4:57 am
Forum: Wireless Networking
Topic: CAPsMAN and AP frequencies
Replies: 11
Views: 5431

Re: CAPsMAN and AP frequencies

I would like to add to this. I have found the following (using Capsman 2). If you set your frequency to auto on the CAP, BEFORE you enable capsman control, it will be auto frequency if Capsman does not specify a channel. However, the auto channel system does not honour the implicit 3 usable channels...
by markdutton
Tue Aug 19, 2014 9:45 am
Forum: General
Topic: VLANS and switch ports
Replies: 2
Views: 569

Re: VLANS and switch ports

OK. Thanks for that. So in relation to multiple VLANS. I only need to define a vlan to ports and CPU if I want to manipulate the VLAN as in my example? The other vlans can be left unassigned at the switch level? It all works fine this way and I have done a million tests, but I don't want to have it ...
by markdutton
Tue Aug 19, 2014 4:00 am
Forum: General
Topic: VLANS and switch ports
Replies: 2
Views: 569

VLANS and switch ports

Hello. I am trying to wrap my head around where I need to actively configure vlan settings on the switch ports. Most commonly, if I want to create a VLAN trunk to an external switch, I simply create multiple VLAN interfaces and assign them all to the same physical port on the Mikrotik. I end up with...
by markdutton
Tue Jul 29, 2014 2:37 pm
Forum: General
Topic: Backup failing on CCR v6.15
Replies: 3
Views: 1673

Re: Backup failing on CCR v6.15

OK. Update.

After a cold restart (power off), it has come up working again. We can run until the new firmware is out GA. It seems that this is a start up issue.
by markdutton
Tue Jul 29, 2014 12:44 pm
Forum: General
Topic: Backup failing on CCR v6.15
Replies: 3
Views: 1673

Re: Backup failing on CCR v6.15

OK Thanks Normis

Next problem though will be that I can't upgrade the router without netflash.

If I factory default, will I get access to the flash again? I have rebooted, but this did not help.

Is thre any way to get the flash writing without defaulting unit?

Mark
by markdutton
Tue Jul 29, 2014 12:30 pm
Forum: General
Topic: Backup failing on CCR v6.15
Replies: 3
Views: 1673

Backup failing on CCR v6.15

Hi All I have a CCR 9 core on 6.15. It is in operation and working, but I can no longer create a backup. The password for the admin has reverted to blank also and won't save. I can't create a capture file with packet sniffer. It is as if the file system has become read only. The exact error when I t...
by markdutton
Fri May 18, 2012 12:37 pm
Forum: General
Topic: My RB493 crashes when I run rsync across my VPN
Replies: 3
Views: 1056

Re: My RB493 crashes when I run rsync across my VPN

I have reconfigured the job to run outside of the VPN tunnel and it seems to have sorted it. Not sure why the load is so high with Rsync, but it killed the router over IPSEC.
by markdutton
Thu May 17, 2012 5:30 pm
Forum: General
Topic: My RB493 crashes when I run rsync across my VPN
Replies: 3
Views: 1056

Re: My RB493 crashes when I run rsync across my VPN

Correct it is an IPSEC tunnel.

Additionally, Rsync is running directly across the connection. It is not tunnelled inside SSH.
by markdutton
Thu May 17, 2012 10:19 am
Forum: General
Topic: My RB493 crashes when I run rsync across my VPN
Replies: 3
Views: 1056

My RB493 crashes when I run rsync across my VPN

Hi All I have a weird problem on my home RB493. I will say from the outset, I have set up dozens of Mikrotiks and I have been using them internally for a couple of years and this is a one off to me. I have a RB2011L in the office, which I am evaluating. It is normally an RB450G. I have an IPSEC tunn...
by markdutton
Sat Sep 10, 2011 9:13 am
Forum: General
Topic: Bug in queue tree decision logic
Replies: 6
Views: 1150

Re: Bug in queue tree decision logic

BTW Fewi I like your idea of using RFC1918 as the source address list so only outbound packets would fire the routing mark. I just put a new rule in my adhoc-bdsl routing table that duplicated the main table rule so the rule would fire in both directions and the inbound route was catered for. It wou...
by markdutton
Sat Sep 10, 2011 9:04 am
Forum: General
Topic: Bug in queue tree decision logic
Replies: 6
Views: 1150

Re: Bug in queue tree decision logic

Thanks Fewi I was on the same tack as you stated in your post. I have been able to get the outbound interface working fine using routing marks and a custom routing table. The issue now for me is I already have a huge mangle table for my packet marking rules. To keep things tidy and to get maximum pe...
by markdutton
Sat Sep 10, 2011 6:14 am
Forum: General
Topic: Bug in queue tree decision logic
Replies: 6
Views: 1150

Re: Bug in queue tree decision logic

OK. Sorry guys. I have led you astray. The router is very busy, so sometimes it can lead me to make a false assumption. I just did a packet trace on the interfaces. It turns out that the router is NOT using the wrong queues. It is using the wrong interface. However, it is outbounding traffic on the ...
by markdutton
Sat Sep 10, 2011 5:33 am
Forum: General
Topic: Bug in queue tree decision logic
Replies: 6
Views: 1150

Re: Bug in queue tree decision logic

Following are all logs except firewall export, which is huge and I would rather not disclose it anyway. The issue is the queues should be attached to the egress interface and they are not. I know this because when I connect externally to my 4-Amcom-BDSL interface via https (443), and drag a file dow...
by markdutton
Sat Sep 10, 2011 4:20 am
Forum: General
Topic: Eth. port flapping, when is this going to be solved?
Replies: 78
Views: 9193

Re: Eth. port flapping, when is this going to be solved?

Seems it is caused by various things. It is not really a flapping port as such. Flapping ports don't usually just disable then re-enable with a corresponding log entry. Flapping ports are usually the result of a problem with the Ethernet connection to the remote device. I know I can make the problem...
by markdutton
Sat Sep 10, 2011 4:12 am
Forum: General
Topic: Bug in queue tree decision logic
Replies: 6
Views: 1150

Bug in queue tree decision logic

Hi All I have found a bug in the queue tree decision logic which is making it impossible for me to use the router as I need to. The scenario is I have 2 WAN interfaces and I have 2 queue trees attached to these interfaces. I have various mangle rules to create connection and packet marks to fee the ...
by markdutton
Wed Aug 10, 2011 6:19 pm
Forum: General
Topic: Eth. port flapping, when is this going to be solved?
Replies: 78
Views: 9193

Re: Eth. port flapping, when is this going to be solved?

I think I have almost homed in on this problem for my situation. I swapped out my RB750G for my RB450G today. No problems initially, but then I set about making the changes I had made on the RB750G just before it started to play up (coincidentally the same day I upgraded the firmware). My config is ...
by markdutton
Wed Aug 10, 2011 7:04 am
Forum: General
Topic: Eth. port flapping, when is this going to be solved?
Replies: 78
Views: 9193

Re: Eth. port flapping, when is this going to be solved?

I too am having port flapping on my RB750G since upgrading from 5.0beta to 5.5. I am using 4 ports. Three of the ports are dropping then resuming. It is not false logging as I went to the log to work out why I was getting VOIP silence periods of around 10 - 20 seconds. Looking at the log it appears ...
by markdutton
Wed Jul 20, 2011 1:46 pm
Forum: Beginner Basics
Topic: How do I stop interfaces from changing names after restore??
Replies: 4
Views: 765

Re: How do I stop interfaces from changing names after resto

Guys this would be good if there was not a bug in the export. I have just done an export from a 750G on v5.5. When I go to import I get "expected end of line at line x, column y" The problem is the exported line is creating the script with the wrong syntax. E.G. /queue interface set 1-Local queue=et...
by markdutton
Wed Jul 20, 2011 1:13 pm
Forum: Beginner Basics
Topic: How do I stop interfaces from changing names after restore??
Replies: 4
Views: 765

Re: How do I stop interfaces from changing names after resto

I too was trying to figure this out. However, in defence of Mikrotik, when you do a copy run tftp, then copy tftp run you ARE working with text files.
by markdutton
Fri Mar 18, 2011 7:46 am
Forum: General
Topic: Efficient connection marking and packet marking for QoS
Replies: 2
Views: 660

Efficient connection marking and packet marking for QoS

Hi All Just want to do a sanity check. I have setup a queue tree and use mangle rules to create the appropriate packet marks. I read an interesting wiki article showing a rule that would filter TCP traffic, by port, etc and give it a connection mark, with passthrough enabled. Immediately following i...
by markdutton
Tue Oct 19, 2010 2:01 pm
Forum: General
Topic: Accessing remote IPSEC site from within Router
Replies: 9
Views: 1221

Re: Accessing remote IPSEC site from within Router

OK. I believe it is definately preserving the markings on encryption. here is what I do. in prerouting mangle table, I mark the packets based on DSCP, address:port, whatever as VOIP. I then create a queue tree with a queue dedicated to VOIP. The queue tree is attached to my external interface. My SI...
by markdutton
Tue Oct 05, 2010 9:38 am
Forum: General
Topic: Accessing remote IPSEC site from within Router
Replies: 9
Views: 1221

Re: Accessing remote IPSEC site from within Router

That's right. On a standard Linux router using the Freeswan IPSEC stack we would set a flag in the ipsec.conf file being hidetos=no. This would cause the encrypter to put the DSCP flag into the outer packet. We would then create a mangle rule as follows. iptables -t mangle -I TS -p 50 -j RETURN ipta...
by markdutton
Tue Oct 05, 2010 6:42 am
Forum: General
Topic: Accessing remote IPSEC site from within Router
Replies: 9
Views: 1221

Re: Accessing remote IPSEC site from within Router

Excellent diagrams! I actually saw these previously, but I did not scroll down to the end, which shows clearly the double handling of packets through the output routing phase if encrypted. This leads me to two more questions. 1. Will packet marks survive the encryption process? 2. Related to above, ...
by markdutton
Fri Oct 01, 2010 9:15 am
Forum: General
Topic: Accessing remote IPSEC site from within Router
Replies: 9
Views: 1221

Re: Accessing remote IPSEC site from within Router

OK, that makes sense. Could you please in basic ascii art, show the path the packets take including encryption. I am used to Linux IP using freeswan, which encrypts data before it enters the routing stack. I can see the advantages of encypting after routing, particularly when doing QoS, but I am a b...
by markdutton
Fri Sep 24, 2010 5:06 am
Forum: General
Topic: Accessing remote IPSEC site from within Router
Replies: 9
Views: 1221

Accessing remote IPSEC site from within Router

Hi All I have a set up where I have two sites linked via RB750G routers over IPSEC tunnel. I want site B to get its DHCP from a DHCP server in site A. I have set up the relay, etc, but there is an issue getting the routers to traverse the tunnel correctly. Devices behind the router are fine as they ...