Community discussions

Search found 194 matches

by Jeroen1000
Sun Dec 24, 2017 3:48 pm
Forum: General
Topic: Ipv6 firewall bug?
Replies: 6
Views: 313

Re: Ipv6 firewall bug?

Try to drop output; it seems to be skipping forward, and I think if the router originates the packets, it will place directly at output chain. Packets come in from the WAN-BRIGDE (this bridge contains the WAN interface uplink to a cable modem and it also contains VLAN20). By the way, it is a CASA C...
by Jeroen1000
Sun Dec 24, 2017 2:07 pm
Forum: General
Topic: Ipv6 firewall bug?
Replies: 6
Views: 313

Re: Ipv6 firewall bug?

Mikrotik is not Cisco. Mikrotik doesn't have hardware routing, doesn't have ASIC chip. Mikrotik is software router based on Linux. Everything going to CPU (except L2 configurations on switch chip). Packet sniffer is tcpdump (or similar sw). Working in promiscuous mode - see everything in network (d...
by Jeroen1000
Sun Dec 10, 2017 4:16 pm
Forum: General
Topic: Ipv6 firewall bug?
Replies: 6
Views: 313

Re: Ipv6 firewall bug?

Packet sniffer see everything. IMHO. It work on lower level than IP stack. Firewall rule is wrong. You droping packet on input, but packets are TX (output). The rule matches, so what is your reasoning behind it being wrong? Most sniffers work by passing the packets up to the CPU. If that does not h...
by Jeroen1000
Fri Dec 08, 2017 7:51 pm
Forum: General
Topic: Ipv6 firewall bug?
Replies: 6
Views: 313

Ipv6 firewall bug?

Hi everyone, Can anyone verify? I have a drop all input rule but as you can see in the screenshot, traffic destined for ff02::1 still slips through. You can see this in the upper window "Packet Sniffer Packets". Moreover, the 2nd rule blocking traffic destined for ff02::1 is not hit. This is normal ...
by Jeroen1000
Fri Oct 20, 2017 3:58 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 83291

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

To summarize, the client does connect to the fake AP. That's why the researcher enabled ip forwarding on his linux box. Actually there are AP's that will do this (mitigate the 4-way handshake problem). I'm not sure it will break anything with compatibility but we administer a ton of AP's and they ar...
by Jeroen1000
Thu Oct 19, 2017 5:49 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 83291

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Hi Andriys Please be constructive instead of just shouting at me. Not looking for an online fight. What do you mean by your last post? Also please note that this attacks do not require wireless clients to connect to a "fake" AP- this "fake" AP just listens and sends you some additional packets while...
by Jeroen1000
Wed Oct 18, 2017 7:33 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 83291

Re: RouterOS NOT affected by WPA2 vulnerabilities

You can fix the 4-way handshake issue either at the client side or at the Access Point side. ... So it's good practice to also fix it at the AP side:-). Wrong!!! KRACK is a pure client-side attack. Patching AP will give you nothing. It's not wrong, however, I understand your interpretation. You can...
by Jeroen1000
Tue Oct 17, 2017 4:23 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 83291

Re: RouterOS NOT affected by WPA2 vulnerabilities

Hi when I read about the vulnerability this morning I immediatly checked the forum and was very happy to read this announcement. I updated all my access points and was quite relieved this should not concern me anymore. Now that there is more information and as it was already quoted: From the link :...
by Jeroen1000
Tue May 09, 2017 5:13 pm
Forum: Scripting
Topic: Simple script works in terminal but not via RUN script
Replies: 1
Views: 236

Simple script works in terminal but not via RUN script

:global isIPcurrent; :if ($isIPcurrent!=$currentIP) do={ :log info "YES" :set $isIPcurrent $currentIP; /user set sshuser address=($currentIP,/32,192.168.200.0/24) } So this works when pasted in terminal but not when I paste it in a new script and run it. I really don't understand why? Any clues:-)?
by Jeroen1000
Tue Nov 08, 2016 11:55 am
Forum: General
Topic: Routerboard 850Gx2 radio tap header
Replies: 2
Views: 276

Re: Routerboard 850Gx2 radio tap header

Yes I was, but I am supposed to in order to sniff this traffic.
by Jeroen1000
Mon Nov 07, 2016 10:43 pm
Forum: General
Topic: Routerboard 850Gx2 radio tap header
Replies: 2
Views: 276

Routerboard 850Gx2 radio tap header

Dear all, Got some strange Wireshark packet originating from a R850Gx2 running v6.35 stable. My Wifi router is a run off the mill Netgear R7000. Does anyone know why I'm seeing this packet? It's a router after all and has nothing to do with a WiFi-signal. For those who would like to reproduce: I got...
by Jeroen1000
Sun Oct 23, 2016 1:22 pm
Forum: RouterBOARD hardware
Topic: RB 850Gx2 vs RB750Gr3 performance
Replies: 10
Views: 5700

RB 850Gx2 vs RB750Gr3 performance

This topic was bound to show up sooner or later:-) So the 850Gx2 has a power pc processor running at 533 MHz. RB750Gr3 has a MIPS processor at 880 Mhz. Both are dual core devices. Both offer HW-acceleration although I have the 850Gx2 rev. 1 which doesn't so buyer beware. The 750Gr3 uses the EIP- 93 ...
by Jeroen1000
Sun Oct 23, 2016 12:29 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 - Report and questions
Replies: 110
Views: 22559

Re: RB750Gr3 - Report and questions

Thank you for your tests. They are most welcome. Maybe try IPsec and L2TP. Just use a Windows 7 or higher client to test. Plain IPsec would require a site-to-site tunnel.

Any thoughts on whether this on is faster than a 850Gx2?
by Jeroen1000
Thu Oct 20, 2016 9:07 pm
Forum: General
Topic: Public-Mikrotik-Bandwidth-Test-Server(s)
Replies: 426
Views: 173459

Re: 3.6 GIG - Public-Mikrotik-Bandwidth-Test-Server

Just wanted to say thanks for your server. I've been able to test both my connections. One weird Mikrotik thing found: when uploading (10 megabit) the test server process makes a routerbord 450G's CPU spike to 100%. When just doing a speedtest on speedtest.net, it does not go over 10%
by Jeroen1000
Wed Oct 19, 2016 11:09 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 17475

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thanks Alex and Nathan. Since I don't need more than 100 megabit CTR is ok. It's considered safe so there is no security trade off at least. Thanks for maintaining this thread pushing for a fix!
by Jeroen1000
Tue Oct 18, 2016 12:19 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 17475

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Does anyone know whether this occurs with regular TCP/UDP streams too (so without HW encryption)? Secondly, is SSTP working ok or is that HW accelerated too?
Bit of a shocker this thread:-)
by Jeroen1000
Sun Dec 06, 2015 11:28 am
Forum: RouterBOARD hardware
Topic: SXT SA5 ac as client access point?
Replies: 4
Views: 1629

Re: SXT SA5 ac as client access point?

Hi Pukkita Thank's for replying Most important question: How do you mean it will depend on the camera's wireless? Can the SXT 5 SA ac function as a normal (like a home AP) AP and broadcast an SSID? I.e. Say I have 3 laptops (=clients) in range, can the just connect to it and from there on be routed ...
by Jeroen1000
Sat Dec 05, 2015 8:01 pm
Forum: RouterBOARD hardware
Topic: SXT SA5 ac as client access point?
Replies: 4
Views: 1629

SXT SA5 ac as client access point?

Hi everyone I'm looking for directional wireless coverage for a secondary building across the main building. Some wireless camera's will be stationed there. Distance between main building and secondary building is about 30 meters. There is full line of sight. So my plan is to screw a SXT SA5 ac to t...
by Jeroen1000
Sat Sep 19, 2015 9:32 pm
Forum: RouterBOARD hardware
Topic: Real CCR1072 experience?
Replies: 50
Views: 7727

Re: Real CCR1072 experience?

I want to add that this is the reason you have to verify how many packets per second a device can forward at a given packet size . CPU based systems do not behave linear opposed to ASICS. Say you are have a 10 gigabit line at an ISP and the MTU is 1500, your device must be capable of forwarding the ...
by Jeroen1000
Sat Apr 11, 2015 2:01 am
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 44471

Re: RB3011 Block diagram?

So both the Tilera and the IPQ are network processors? I.E. CPU's with a special purpose.

Does anyone know how their achitecture differs? I can't really find a definitive source on the Tile achitecture.
by Jeroen1000
Sun Mar 15, 2015 2:56 pm
Forum: General
Topic: Simple queue statistics tab target download: what is this (pictures inside)?
Replies: 0
Views: 387

Simple queue statistics tab target download: what is this (pictures inside)?

I have started a test, where 1 user over SSTP is using all the upload bandwidth. In order to prevent excessive queueing in the upload direction, I've placed a simple queue on the WAN interface. It shapes to 3700k. Bu then I have noticed the number in target download (kbps) at the simple queue statis...
by Jeroen1000
Tue Feb 24, 2015 8:19 pm
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 6703

Re: sstp vs pptp performance

i tried rate limiting, it did not seem to really make a difference for me. can you provide the cli export of your ppp? just to confirm, i will test again. what code you running? I'm on ROS 6.27. I'll add the export hopefully in a few hours (I'm testing another config ATM). You must rate limited bel...
by Jeroen1000
Tue Feb 24, 2015 10:09 am
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 6703

Re: sstp vs pptp performance

Latest update/conclusions: For a WIRED connection: - When rate limiting to 8M/8M, the wired connection is getting 7.3 megabit out of SSTP. So same conclusion as Stefan in viewtopic.php?t=85568 It not ALL that I can get but 7.3 out of 9 megabit is acceptable nonetheless. Speed fluctuates with about 0...
by Jeroen1000
Thu Feb 19, 2015 8:18 pm
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 6703

Re: sstp vs pptp performance

I got the idea from here: http://forum.mikrotik.com/viewtopic.php?t=85568 kudos to stefan803. It is an excellent read, I promise. You can set the limit going to PPP profiles and selecting the profile that is used for a particular user (see screenshot attached). What I'm going to do next is eliminate...
by Jeroen1000
Thu Feb 19, 2015 9:42 am
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 6703

Re: sstp vs pptp performance

I've got some more interesting information. A friend has a 10/10 connection and has connected to my 160/10 SSTP-server. Limiting the SSTP connection to 7/7 got a stable 784 kilobyte per second connection (+- 6.3 megabit). Limiting to 8/8 got the connection to 900 kilobyte per second. (+- 7.2 megabit...
by Jeroen1000
Wed Feb 18, 2015 10:23 am
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 6703

Re: sstp vs pptp performance

latency is 30-40ms, cpu never maxes out, barely breaks 35% on a MAP2N, on a pptp connection with both sides having 28/6 i can see over 600mbit, which is great, simply changing to sstp, both sides see 350mbit max, its a huge hit How can you get over 600 megabit if the maximum upload on both sides is...
by Jeroen1000
Wed Feb 18, 2015 10:20 am
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 6703

Re: sstp vs pptp performance

@Nathan, To recap: SSTP-server: 850Gx2 on a 160/10 megabit connection (getting about 9 megabit upload on average - untunneled). Running ROSv 6.27 SSTP-client: Windows 7 on a 60/4 connection (getting about 3.2 upload on average - untunneled) My latency is pretty low: 12 - 18 ms without SSTP and aroun...
by Jeroen1000
Tue Feb 17, 2015 9:31 pm
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 6703

Re: sstp vs pptp performance

Same issue here. I've got a rock solid ISP cable connection. SSTP server: It has 160 megabit down, 10 megabit up. I'm connecting from another line with the same ISP. This line's profile is 60 megabit down, 3 megabit up. PPTP: 8-9 megabit per second . Tested for 30 minutes downloading an Ubuntu ISO a...
by Jeroen1000
Sun Feb 01, 2015 10:44 pm
Forum: RouterBOARD hardware
Topic: CCR1009-8G-1S-1S+PC
Replies: 31
Views: 11104

Re: CCR1009-8G-1S-1S+PC

Darn, I almost wish I had not bought a 850Gx2. Anyway it will do for now. Only downside I can see is the low amount of NAND-storage compared to the 850Gx2 and the 450G
by Jeroen1000
Sun Dec 28, 2014 12:11 am
Forum: RouterBOARD hardware
Topic: Advice please, best RouterBoard for site to site SSTP VPN
Replies: 7
Views: 1412

Re: Advice please, best RouterBoard for site to site SSTP VP

Except that the 850Gx2 does NOT have hardware encryption. It's for a later model revision. I got fooled too but it's fast enough for my 10 megabit upload connection:))
by Jeroen1000
Tue Dec 23, 2014 7:11 pm
Forum: Announcements
Topic: v6.24 RC
Replies: 50
Views: 28344

Re: v6.24 RC

Are the NTP fixes related to the recently discovered vulnerabilities? http://www.ubuntu.com/usn/usn-2449-1/

Could you please tell me what version ROS is using? IS it version 4.2.8
by Jeroen1000
Wed Dec 17, 2014 9:31 pm
Forum: General
Topic: LOG SSTP access
Replies: 3
Views: 698

Re: LOG SSTP access

Doesn't Windows 7/8/8.1 always connect to 443? Must try that asap and I'll post whether or not it can be changed
by Jeroen1000
Mon Dec 15, 2014 11:03 pm
Forum: General
Topic: LOG SSTP access
Replies: 3
Views: 698

Re: LOG SSTP access

I got a step closer! You can find users that logged in with success via below line of code, pasted in a terminal. Of course, appropriate logging should be enabled first in order for this to work. log print detail where buffer=memory && message~"authenticated" It will produce this output time=dec/10 ...
by Jeroen1000
Mon Dec 15, 2014 10:18 pm
Forum: General
Topic: LOG SSTP access
Replies: 3
Views: 698

LOG SSTP access

Hi fellow Mikrotik users, For PPTP I do this for logging: 14 ;;; PPTP-VPN rules chain=input action=accept protocol=tcp dst-port=1723 15 chain=input action=log protocol=gre log-prefix="" 16 chain=input action=accept protocol=gre When a GRE tunnel is established, I know someone logged has in with succ...
by Jeroen1000
Sat Nov 22, 2014 3:01 pm
Forum: General
Topic: Firewall: dynamic VPN rules. Explain the jump rule please
Replies: 0
Views: 596

Firewall: dynamic VPN rules. Explain the jump rule please

Hi Guys, I'm talking about rule # 18 in the firewall output. Why is that jump rule required? I don't quite understand. Background info: What the PPTP VPN rules do, is block a VPN-user from reaching my LANs. In orde to reach a LAN, you have to move packects out of a VLAN interfaces. Hence, rule #19 b...
by Jeroen1000
Mon Nov 10, 2014 5:49 pm
Forum: General
Topic: Simple routing architecture problem from a newbie. HELP :)
Replies: 13
Views: 1107

Re: Simple routing architecture problem from a newbie. HELP

Could you perhaps make a diagram with IP addressing on it? It's not clear to begin with to which address the 750GL ports forwards. I think it should not really be an issue to give your NAS (1) a public routable IP (DSL) and then (2) an RFC 1918 private IP that is masqueraded using the cable's ISP pu...
by Jeroen1000
Sun Nov 09, 2014 11:36 pm
Forum: General
Topic: Simple routing architecture problem from a newbie. HELP :)
Replies: 13
Views: 1107

Re: Simple routing architecture problem from a newbie. HELP

What is the intend? Active and backup router? Then VRRP is your answer.
by Jeroen1000
Sun Nov 09, 2014 2:08 pm
Forum: General
Topic: 850gx2 on 6.21.1: clearing log not possible anymore?
Replies: 0
Views: 409

850gx2 on 6.21.1: clearing log not possible anymore?

Hi all,
 /system logging action> set numbers=0 memory-lines=1
 /system logging action> set numbers=0 memory-lines=500
Above should clear the memory log: 0 * name="memory" target=memory memory-lines=500 memory-stop-on-full=no

Can anyone confirm this is no longer working fom them?
by Jeroen1000
Sat Nov 08, 2014 3:30 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 - Release date?
Replies: 193
Views: 42711

Re: RB850Gx2 - Release date?

@hedele I was not trying to discredit you in any way. Payload is indeed 1500 bytes, but 20 bytes of that comprises the IP header. The more L2 stuff you use (like VLANs) the LESS payload will be transported unless the L2MTU can be augmented. Thus, for 1500 bytes payload + a VLAN tag, the L2MTU has to...
by Jeroen1000
Fri Nov 07, 2014 10:24 am
Forum: RouterBOARD hardware
Topic: RB850Gx2 - Release date?
Replies: 193
Views: 42711

Re: RB850Gx2 - Release date?

http://wiki.mikrotik.com/wiki/Manual:Maximum_Transmission_Unit_on_RouterBoards @hedele It is always better to be very precise with these matters. L2MTU is USUALLY = payload (1480 bytes) + IP header (20 bytes) . This equals 1500 bytes. Here you add 14 bytes MAC header and + 4 bytes FCS. This amounts ...
by Jeroen1000
Thu Nov 06, 2014 12:27 pm
Forum: RouterBOARD hardware
Topic: RB850gx2 MTU issue confirmed by me:)
Replies: 18
Views: 4501

Re: RB850gx2 MTU issue confirmed by me:)

You can set Cisco's and Junipers's to ignore the DF flag and they will happily fragment away. I'll take a wireshark capture on a windows PC connected to the WAN port. But thanks for fixing this so quickly!
If it is good, it must be said too!
by Jeroen1000
Thu Nov 06, 2014 11:11 am
Forum: RouterBOARD hardware
Topic: RB850gx2 MTU issue confirmed by me:)
Replies: 18
Views: 4501

Re: RB850gx2 MTU issue confirmed by me:)

I think it is sufficient for all WAN uses. Is there a way to discover whether a router honours the dont fragment flag?:-)
by Jeroen1000
Fri Oct 31, 2014 4:49 pm
Forum: RouterBOARD hardware
Topic: RB850gx2 MTU issue confirmed by me:)
Replies: 18
Views: 4501

Re: RB850gx2 MTU issue confirmed by me:)


I asked MT about this MTU limitation. They assured me that the hardware supports jumbo frames and MTU should be increased in a future ROS version.
Good news. Better than mine as now we know the limitation can be removed. I hope future means this year though :-)
by Jeroen1000
Fri Oct 24, 2014 8:18 pm
Forum: RouterBOARD hardware
Topic: RB850gx2 MTU issue confirmed by me:)
Replies: 18
Views: 4501

Re: RB850gx2 MTU issue confirmed by me:)

I've been told it is currently an accepted bug. There is another topic where this was told. I hope it gets fixed quickly too:)
by Jeroen1000
Sat Oct 18, 2014 6:50 pm
Forum: RouterBOARD hardware
Topic: RB850gx2 MTU issue confirmed by me:)
Replies: 18
Views: 4501

Re: RB850gx2 MTU issue confirmed by me:)

MRZ you were very right! For the VLAN interface you can only set an L2MTU of 1502 bytes (could nog get it to set 1504 or more). The MTU on the VLAN interface has to lowered (from 1500) to 1498 bytes in order for this to work. 1502 bytes - 4 bytes for VLAN header = 1498 bytes. This looks like an issu...
by Jeroen1000
Wed Oct 15, 2014 8:26 pm
Forum: RouterBOARD hardware
Topic: RB850gx2 MTU issue confirmed by me:)
Replies: 18
Views: 4501

Re: RB850gx2 VLANs hardware issue?

I'll check that. I have not changed the L2MTU. Perhaps I should set it at 1504. Can't check the defaults now as I'm not near the router

I believe to ping 1500 bytes you need to set the ping size to 1472 in windows? (8 bytes ICMP and 20 bytes ip header makes 1500). Right?
by Jeroen1000
Wed Oct 15, 2014 7:42 pm
Forum: RouterBOARD hardware
Topic: RB850gx2 MTU issue confirmed by me:)
Replies: 18
Views: 4501

RB850gx2 MTU issue confirmed by me:)

Hi Guys, As soon as I create an VLAN-interface on a port and assign an address to it I can no longer manage the router via Winbox. I can ping the address on the infercace though. Sometimes I can't even login to Winbox. When I can login, most tabs are empty (like the interfaces tab, vlans tab, firewa...
by Jeroen1000
Mon Oct 13, 2014 9:26 am
Forum: RouterBOARD hardware
Topic: RB850Gx2 Network interface details
Replies: 36
Views: 18063

Re: RB850Gx2 Network interface details

So, regarding the MTU. You can't even do Q in Q with a layer 3 MTU of 1500 bytes (20 bytes IP header + 1480 bytes payload).

That would yield 1480 + 20 + 4 + 4. Seeing a VLAN-tag is 4 bytes?
by Jeroen1000
Sun Jul 13, 2014 1:39 pm
Forum: General
Topic: RB450G: DHCP-client on master interface not working SOLVED
Replies: 2
Views: 583

Re: Routerboard450G: DHCP-client on master interface not wor

I've found the problem and solution. However, I don't fully understand it yet. In below configuration, the switch1-cpu port is set to DEFAULT-VLAN-ID 0. Putting is as access-port in VLAN20 solves the issue: 5 switch1-cpu Switch1 secure always-strip 20 Or setting its VLAN-MODE to fallback also does t...
by Jeroen1000
Sat Jul 12, 2014 10:29 pm
Forum: General
Topic: RB450G: DHCP-client on master interface not working SOLVED
Replies: 2
Views: 583

Re: Routerboard450G: DHCP-client on master interface not wor

This is so weird, what you could NOT see from my first post is that ETHER2 did not have a physical link (there was no device attached to the port). So I've now connected my ISP's cable modem to ETHER2. The modem was previously on ETHER5 (my WAN port). Again, I do not receive an IP address on ETHER2 ...