Community discussions

Search found 4040 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 14
by ZeroByte
Fri Aug 30, 2019 5:32 pm
Forum: Forwarding Protocols
Topic: OSPFv3 adjacency with Cisco routers
Replies: 2
Views: 464

Re: OSPFv3 adjacency with Cisco routers

I could probably work around it by running two OSPFv3 instances, but since we're not really doing much with IPv6 for our customers yet, I'm not too concerned. If one link goes down, the other should form adjacencies and converge within 45 seconds or so. I was just kind of curious if anyone had seen ...
by ZeroByte
Thu Aug 29, 2019 11:01 pm
Forum: Forwarding Protocols
Topic: OSPFv3 adjacency with Cisco routers
Replies: 2
Views: 464

OSPFv3 adjacency with Cisco routers

We primarily use Cisco on our network core, but are deploying a CCR1072-1G-8S+ as a PPPoE end-user concentration box. As such, it needs to speak OSPF with the rest of the core network. The design is a fairly straightforward dual-uplink; each uplink network having two core routers as DR/BDR. It's the...
by ZeroByte
Thu Aug 29, 2019 10:28 pm
Forum: Forwarding Protocols
Topic: BGP and more specific routes.
Replies: 10
Views: 1024

Re: BGP and more specific routes.

For your nailed-up static routes intended for prefix origination, I'd say the best thing to do would be to add them as distance=254, type=blackhole e.g. /ip route add dst=192.168.0.0/22 type=blackhole distance=254 add dst=192.168.0.0/23 type=blackhole distance=254 add dst=192.168.2.0/23 type=blackho...
by ZeroByte
Thu Sep 20, 2018 9:20 pm
Forum: General
Topic: Possible ICMP redirect bug / change in behavior?
Replies: 4
Views: 919

Re: Possible ICMP redirect bug / change in behavior?

Yup - that's what I disabled. Still getting them. I'm suspecting that our recent problem is a combination of things, because we've never had to disable this to fix stuff until very recently. The 10.10.10.x host is a Ubiquiti cloud key, and they definitely go through their strange behaviors with diff...
by ZeroByte
Thu Sep 20, 2018 7:54 pm
Forum: General
Topic: Possible ICMP redirect bug / change in behavior?
Replies: 4
Views: 919

Re: Possible ICMP redirect bug / change in behavior?

update - apparently, disabling ICMP redirects does NOT stop the Mikrotik from sending redirects. Does the system require a reboot for this change to take effect? So using the previous example IP addressing, whenever host 10.10.10.66 sends a packet to host 192.168.0.33, the Mikrotik router sends an I...
by ZeroByte
Thu Sep 20, 2018 6:55 pm
Forum: General
Topic: Possible ICMP redirect bug / change in behavior?
Replies: 4
Views: 919

Possible ICMP redirect bug / change in behavior?

We've been upgrading some 2011 routers from pre-6.41 versions to the latest 6.43 and 6.43.1 and 6.43.2, and have noticed a change in the behavior with ICMP redirects. We've got a multi-IP-range segment on an interface with two ranges, e.g. 192.168.0.1/22 and 10.10.10.65/28 Starting with apparently v...
by ZeroByte
Mon Jul 16, 2018 6:00 pm
Forum: Beginner Basics
Topic: Multiple Machines with Same IP Address's - Please Help [SOLVED]
Replies: 3
Views: 736

Re: Multiple Machines with Same IP Address's - Please Help [SOLVED]

The problem with doing this in a single router is that the routing table must ultimately choose one particular interface as the destination for any given IP address. Having the same IP address on multiple interfaces doesn't work in this case. If you don't have a large number of these, then you could...
by ZeroByte
Mon Jul 16, 2018 5:46 pm
Forum: Forwarding Protocols
Topic: OSPF overwrite static default-gateway. Possible ?
Replies: 29
Views: 5046

Re: OSPF overwrite static default-gateway. Possible ?

I can confirm this script works a treat.. I can't believe we're here 3 years later with no other viable resolution to the core problem. This is why our core network is still 100% Cisco routers. We use Mikrotik as CPE routers, but given their 'quirky' behavior in dynamic routing protocols, I don't w...
by ZeroByte
Thu Jun 28, 2018 12:02 am
Forum: General
Topic: Feature Request: IPv6 stateful LinkLocal Addresses
Replies: 14
Views: 2175

Re: Feature Request: IPv6 stateful LinkLocal Addresses

True on all counts regarding autoconfig, but end-user access segments are a very very rare case for my operation, where yes, SLAAC is the way to go for us. We static-configure all customer attachment circuits at the PE boundary anyway, so doing this in IPv6 is no big deal. The main thing I like to u...
by ZeroByte
Tue Jun 26, 2018 12:08 am
Forum: General
Topic: Routing
Replies: 16
Views: 1197

Re: Routing

As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work. If you use a rfc1918 address as dst inside your net - you need to use nat to have it working. Just to clarify for those following along - ICMP will be forwarded through rfc191...
by ZeroByte
Mon Jun 25, 2018 11:48 pm
Forum: General
Topic: Routing
Replies: 16
Views: 1197

Re: Routing

You cant route public ip's trough rfc1918. You need to ether use nat - or bridge to your internal ip. That's actually not true at all. You can have rfc1918 addresses on links and forward public IP addresses across these links just fine. I used to work for a company whose entire backbone was un-natt...
by ZeroByte
Mon Jun 25, 2018 11:42 pm
Forum: Beginner Basics
Topic: Two ISP and dns monitoring
Replies: 6
Views: 616

Re: Two ISP and dns monitoring

... or now Cloudflare DNS - 1.1.1.1 / 1.0.0.1
by ZeroByte
Mon Jun 25, 2018 6:53 pm
Forum: Forwarding Protocols
Topic: Mikrotik + softether
Replies: 1
Views: 1343

Re: Mikrotik + softether

Most likely, your VPN server doesn't know that the 200 network is behind your Mikrotik - i.e. it needs to get a route associated with the connection. I'm not sure about SoftEther VPN server, so unfortunately I can't tell you what button to press, so to speak. Also, if the VPN server is not the defau...
by ZeroByte
Mon Jun 25, 2018 6:47 pm
Forum: General
Topic: IPv6 problem!!!
Replies: 8
Views: 2104

Re: IPv6 problem!!!

IPv6 packets using Link-local IPv6 addresses are not (and in fact cannot possibly be) forwarded by routers. EVERY network segment has the exact same routing prefix - fe80::/16 - thus it is impossible to communicate with remote link-local addresses even if you wanted to do it. Having these on your ro...
by ZeroByte
Mon Jun 25, 2018 6:33 pm
Forum: General
Topic: Feature Request: IPv6 stateful LinkLocal Addresses
Replies: 14
Views: 2175

Re: Feature Request: IPv6 stateful LinkLocal Addresses

The ability to manually specify the Link-local address can make other things easy than just a consistent default GW on all network access segments. Since our address allocation scheme creates a unique 3-nibble code for each router in our toplogoy, it makes life easy to use that code as the link-loca...
by ZeroByte
Thu May 17, 2018 10:59 pm
Forum: General
Topic: PAP for Winbox Radius Logins
Replies: 7
Views: 2739

Re: PAP for Winbox Radius Logins

MS-CHAPv2 would also be nice for Winbox AAA login verification.
by ZeroByte
Thu May 17, 2018 10:50 pm
Forum: Beginner Basics
Topic: Got to set up a Guest AP in a hurry
Replies: 2
Views: 1333

Re: Got to set up a Guest AP in a hurry

It's not too hard. Add a VAP interface to your wireless (virtual AP) and set the guest SSID there. Add a "guests" security profile - just copy the main one and change the password to your guest password. Make sure the new VAP is not connected to your LAN bridge. Add a new IP network to the new guest...
by ZeroByte
Thu Mar 01, 2018 8:43 pm
Forum: Beginner Basics
Topic: NAT forwading hairpin not working [SOLVED]
Replies: 7
Views: 841

Re: NAT forwading hairpin not working [SOLVED]

I completely understand what you're trying to do. I know why you said "in-interface=wan" in your rule, but in your case, that is a bad thing to use. I'm a fan of using in/out-interface=X wherever possible but this is one of those situations where it's not going to work. If you see no hits on the rul...
by ZeroByte
Thu Mar 01, 2018 5:17 pm
Forum: Beginner Basics
Topic: NAT forwading hairpin not working [SOLVED]
Replies: 7
Views: 841

Re: NAT forwading hairpin not working [SOLVED]

Hairpin rules require a little different logic than the way you've done it. Let's look at rule 1: 1 chain=dstnat action=dst-nat to-addresses=192.168.88.183 to-ports=10000 protocol=tcp in-interface-list=WAN dst-port=10000 log=no log-prefix="" This rule says: If the packet arrives on the WAN interface...
by ZeroByte
Thu Feb 22, 2018 4:52 pm
Forum: General
Topic: pppoe
Replies: 1
Views: 344

Re: pppoe

Don't put any IP addressing on the interfaces where you serve PPPoE. Then it is impossible to get IP service w/o PPPoE.
If you have some sort of "management" IP range in use on the same network segment, then your goal should be to move this functionality to a different VLAN.
by ZeroByte
Thu Feb 22, 2018 4:30 pm
Forum: General
Topic: Get physical interface on a bridge
Replies: 1
Views: 305

Re: Get physical interface on a bridge

Remember that the Hotspot feature is a layer3 function - so it's going to see interfaces in terms of "IP interfaces" not "switchport" interfaces (to borrow a term from Cisco and others). Scripting would need to use the bridge hosts table / switch hosts tables to find the exact physical interface. I'...
by ZeroByte
Wed Feb 21, 2018 7:06 pm
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 58
Views: 9668

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

Hi @sindy, thanks for your explanation. You are right: the SIP problem is not a SIP problem, but an UDP NAT problem (a more general problem). It isn't even a bug: it's a UDP NAT limitation (a protocol limitation). I made some NAT tests and understood better how NAT works in MikroTik. I'm publishing...
by ZeroByte
Thu Feb 01, 2018 10:18 pm
Forum: General
Topic: pppoe server problem
Replies: 1
Views: 283

Re: pppoe server problem

Are you assigning the default GW to your clients?
Do the clients have "use default GW" set to yes on their pppoe-client interface configuration?
by ZeroByte
Thu Feb 01, 2018 10:06 pm
Forum: Forwarding Protocols
Topic: OSPF and Routing Broke
Replies: 3
Views: 611

Re: OSPF and Routing Broke

Did you check the routing tables during the outage to confirm that all IP routes pointed in the proper direction, and on both routers? I'm having a little trouble visualizing your issue because you speak of two routers, but when you say you checked from "the router" it's unclear which one you mean. ...
by ZeroByte
Sat Jan 20, 2018 6:34 am
Forum: General
Topic: New to Mikrotik Routing
Replies: 3
Views: 474

Re: New to Mikrotik Routing

Many smaller, inexpensive SOHO Mikrotik routers cannot do 100Mbps of throughput. Some routers can do this if you use the fast-track feature (e.g. the 2011 series). The key is to watch the CPU utilization during a speed test (through the router from a PC, not the BTest service in Mikrotik itself). If...
by ZeroByte
Sat Jan 20, 2018 5:08 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 2775

Re: IPv6 router settings

Maybe ask ISP if they could end this changing nonsense and give you permanent prefix? Perhaps they are just new to IPv6 and don't know better. Of course there's also a possibility that they are doing this on purpose, to make you pay more for some "enterprise" connection where prefix does not change...
by ZeroByte
Wed Jan 17, 2018 11:36 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 933

Re: How to disable access from local to some local to Mikrotik AP?

I made the rule: chain=forward src-address-list="ProtectedHosts" dst-address-list="LimitedClients" action=accept which I have dropped before the drop rule and I can not get to the address 192.168.20.110 or even ping if the drop rule ok - go into your router and run this command in a terminal: /ip f...
by ZeroByte
Wed Jan 17, 2018 11:21 pm
Forum: Forwarding Protocols
Topic: Forwarding DDoS
Replies: 3
Views: 898

Re: Forwarding DDoS

Probably what happened was that the DDoS attack used radomized ports and IP addresses, which overloaded the connection state tracking table on the router. If you're not using any kind of stateful features, you can disable state tracking which will reduce the load on the router in such situations in ...
by ZeroByte
Wed Jan 17, 2018 10:52 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 933

Re: How to disable access from local to some local to Mikrotik AP?

Thanks to this, but if I apply this rule, I can not get myself out of range 192.168.20.4-100 to administer clients to addresses 192.168.20.110-114 Dude - you really need to learn what you're doing if you're going to get this picky about stuff and not just expect people to do everything for you. The...
by ZeroByte
Wed Jan 17, 2018 10:42 pm
Forum: General
Topic: Splash page/redirect
Replies: 3
Views: 1656

Re: Splash page/redirect

The way to do this is to configure your hotspot with unlimited simultaneous users in the profile section, and create some basic default user/password for the hotspot. Then you create your splash page with a "continue to Internet" button on it. Design the form on this splash page to simply contain th...
by ZeroByte
Wed Jan 17, 2018 10:18 pm
Forum: General
Topic: Domain coltroler & Active directory
Replies: 1
Views: 520

Re: Domain coltroler & Active directory

The only way to accomplish that would be to run a metarouter image on your Mikrotik using something like DD-WRT, but I wouldn't recommend that. Neither Mikrotik nor the DD-WRT people work on keeping these things compatible with each other and up to date. So that is to say: Nope - Mikrotik's not an o...
by ZeroByte
Wed Jan 17, 2018 9:58 pm
Forum: General
Topic: Use specific internet connection for VPN client connection
Replies: 3
Views: 690

Re: Use specific internet connection for VPN client connection

Step1: create a static host route to whatever IP address the VPN endpoint currently uses - make the GW be the preferred IP address. Place a useful comment on this route such as "VPN" Step2: copy this route into all of your routing tables Step3: You could write a script that runs every minute and doe...
by ZeroByte
Wed Jan 17, 2018 9:53 pm
Forum: Scripting
Topic: I need is to create a script that allows to lower the priority of one of the routers configured with VRRP
Replies: 1
Views: 318

Re: I need is to create a script that allows to lower the priority of one of the routers configured with VRRP

Make a direct connection between the routers and number it with some throwaway subnet, such as 192.168.255.0/30
Make R1 have a backup default GW of 192.168.255.2
Make R2 have a backup default GW of 192.168.255.1

this way it won't matter which device is acting as the VRRP master.
by ZeroByte
Wed Jan 17, 2018 9:49 pm
Forum: General
Topic: EoIP (+IPSec) interface status
Replies: 4
Views: 967

Re: EoIP (+IPSec) interface status

Try using OSPF across the tunnel. As long as the two interfaces have the same cost, OSPF will use equal-cost multipath routing (EQMP) to load share between the two paths. If one path fails, OSPF will lose adjacency across it regardless of the interface's up/down state.
by ZeroByte
Wed Jan 17, 2018 9:46 pm
Forum: Beginner Basics
Topic: EOIP Tunnel
Replies: 2
Views: 383

Re: EOIP Tunnel

Try making the tunnel operate as a layer3 (routed IP hop) connection instead of a bridge.
by ZeroByte
Wed Jan 17, 2018 9:40 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 933

Re: How to disable access from local to some local to Mikrotik AP?

The easiest thing to do would be to enable the "use IP firewall" option on your bridge so that you can make forwarding filter rules that block the traffic you want. Make an IP address list called "LimitedClients" and list the IP addresses 192.168.20.110-114 Make another IP address list called "Prote...
by ZeroByte
Wed Jan 17, 2018 6:36 pm
Forum: General
Topic: Routing between two Mikrotik routers is not working [SOLVED]
Replies: 22
Views: 1581

Re: Routing between two interfaces is not working [SOLVED]

Firstly, do not masquerade between internal networks in your router. Masquerade/SrcNat is only needed for access to the public Internet, or for cases where you need to reach some network that you do not control, and it has no routing information on how to reach your actual IP addressing. Since you c...
by ZeroByte
Wed Jan 17, 2018 6:13 pm
Forum: General
Topic: Routing traffic over 2 interfaces
Replies: 4
Views: 853

Re: Routing traffic over 2 interfaces

You should use different IP ranges on different interfaces. The problem is that any device outside of the /29 network (i.e. is on the ether1 10.0.0.0/22 network) does not realize that this block of addresses is not local and must be reached via the router. They simply ARP for 10.0.0.103, which does ...
by ZeroByte
Wed Jan 17, 2018 5:54 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 2775

Re: IPv6 router settings

In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. In IPv6 there is no NAT. So theoretically everyone can access everything. Of course to prevent this you setup the firewall but i don't foun...
by ZeroByte
Wed Jan 17, 2018 1:16 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 2775

Re: IPv6 router settings

One more point: Make sure that you're not blocking ICMPv6 in your IPv6 firewall filter rules. "ARP" functionality was moved into ICMP for IPv6 (now known as ND - Neighbor Discovery) I have to agree that it's awesome to see an ISP give static assignments like this. The only thing possibly wrong with ...
by ZeroByte
Tue Jan 16, 2018 9:54 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 933

Re: How to disable access from local to some local to Mikrotik AP?

Make a second SSID (create a VAP interface), and make the insecure devices use the second AP, and put that on a different IP range (don't bridge the VAP - put a new IP address directly on it and configure a new DHCP service on this network). Then use the IP Firewall filter to block in-interface=VAP ...
by ZeroByte
Tue Jan 16, 2018 9:23 pm
Forum: Forwarding Protocols
Topic: MPLS, BGP and OSPF design for wisp
Replies: 27
Views: 5872

Re: MPLS, BGP and OSPF design for wisp

The goal of this design is to use OSPF only for EQMP load balancing between the sites, but BGP as the overall routing protocol. EBGP allows routing policy to be modified and advertised at each tower site. iBGP basically considers the entire AS with a more or less single unified routing policy for eg...
by ZeroByte
Tue Jan 16, 2018 8:56 pm
Forum: Beginner Basics
Topic: Demo License / Level 1 for home use
Replies: 6
Views: 1434

Re: Demo License / Level 1 for home use

I think the electricity savings would more than pay for a hEX over a powerful PC running 24x7. ;)
by ZeroByte
Tue Jan 16, 2018 8:33 pm
Forum: General
Topic: Multiple subnet routing
Replies: 1
Views: 279

Re: Multiple subnet routing

In layer 3, each node must have a route to every other IP address in the network. I'm assuming that the PFSense cluster is a layer3 firewall and not acting as a transparent L2 firewall. I'm also assuming that the public IP addresses for your company are on the WAN interfaces of the NG0x nodes (where...
by ZeroByte
Tue Jan 16, 2018 6:09 pm
Forum: Forwarding Protocols
Topic: BGP Route Reflectors, how to properly configure??
Replies: 19
Views: 10655

Re: BGP Route Reflectors, how to properly configure??

But, this example seems to be a bad practice and for my opinion it doesn't have sense, because, the idea of getting two RR is to increase the uptime of any iBGP solution, so why are you going to configure a Route-Reflect client to only one RR instead of configuring to both of RRs?? I think this is ...
by ZeroByte
Tue Jan 16, 2018 5:50 pm
Forum: General
Topic: Dual wan PCC load balancing
Replies: 4
Views: 955

Re: Dual wan PCC load balancing

ok - it looks like your NAT rules are to blame. You're using netmap which is a stateless nat action - that means you must use TWO rules to accomplish each mapping. I see why you thought to use this, as it's apparent that you have a 1:1 relationship between a specific public IP address and private IP...
by ZeroByte
Mon Jan 15, 2018 6:17 pm
Forum: Forwarding Protocols
Topic: BGP Route Reflectors, how to properly configure??
Replies: 19
Views: 10655

Re: BGP Route Reflectors, how to properly configure??

Can you please point out the part in the RFC that says you must use the same ID on all members of the same cluster? I was going to draw a diagram of a scenario that would cause blackholing, but I found one on this website http://network-101.blogspot.co.uk/2011/06/bgp-cluster-id-loop-prevention.html...
by ZeroByte
Mon Jan 15, 2018 6:07 pm
Forum: Beginner Basics
Topic: Probably a basic issue not able to network across multiple networks and devices
Replies: 4
Views: 402

Re: Probably a basic issue not able to network across multiple networks and devices

The upstream router needs to have a static route to the downstream router.

Add an IP route w/ the dst=10.0.1.0/24 and gateway=wan.ip.of.rb911
by ZeroByte
Mon Jan 15, 2018 6:05 pm
Forum: RouterBOARD hardware
Topic: hEX PoE Routing between sfp ethernet and eth0
Replies: 1
Views: 408

Re: hEX PoE Routing between sfp ethernet and eth0

Not sure which port you mean by "eth0" as Mikrotik's ethernet interfaces are named "ether1, ether2, ..." but regardless, it is easy to have ports as isloated layer3 ports in Mikrotik. Just make sure that they're not part of any master/slave switch groups (v6.40.5 and earlier) and are not configured ...
by ZeroByte
Mon Jan 15, 2018 5:55 pm
Forum: General
Topic: Dual wan PCC load balancing
Replies: 4
Views: 955

Re: Dual wan PCC load balancing

Without digging into your configuration, I can say that the most likely cause is that your mangle tables aren't creating connection tracking entries for route marks on new connections originating on the various WAN interfaces. That's the most common mistake I've seen in posts with your problem.
by ZeroByte
Thu Jan 11, 2018 10:45 pm
Forum: General
Topic: IGMP Snooping Command
Replies: 12
Views: 15691

Re: IGMP Snooping Command

I read the manual page you linked to. By my reading, it's entirely possible that the multicast helper acts in a manner similar to PIM in dense mode - i.e. it sends a copy to EACH client at its individual mod rate, as opposed to sending a copy only to the subscribed stations. Given that they just now...
by ZeroByte
Thu Jan 11, 2018 4:37 pm
Forum: General
Topic: IGMP Snooping Command
Replies: 12
Views: 15691

Re: IGMP Snooping Command

Sorry, of course I mean multicast traffic. I need IPTV from my ISP to work on a notebook over WiFi. The problem now is: when any device connected to my hAP lite via WiFi start viewing IPTV, all other wifi-clients start receiving multicast traffic simultaneously. IGMP snooping enabled/disabled on br...
by ZeroByte
Thu Jan 11, 2018 12:43 am
Forum: General
Topic: IGMP Snooping Command
Replies: 12
Views: 15691

Re: IGMP Snooping Command

Well, IGMP flooding over WiFi is still here. I have a hAP lite with RouterOS 6.41 and even after enabling IGMP snooping on bridge interface I have IGMP traffic on all connected wireless devices. This may be a silly question, but are any wireless devices subscribed to the multicast group? Furthermor...
by ZeroByte
Thu Jan 11, 2018 12:26 am
Forum: General
Topic: Rule order for established
Replies: 7
Views: 627

Re: Rule order for established

established = state tracking has seen traffic in both directions. I'd define it as: has passed traffic in one direction. In home NAT environments, if your browser sends tcp syn, the 1st returning syn,ack already is related. (otherwise it would be blocked !) Yeah - but I think "established" is what ...
by ZeroByte
Wed Jan 10, 2018 6:42 pm
Forum: General
Topic: Rule order for established
Replies: 7
Views: 627

Re: Rule order for established

established = state tracking has seen traffic in both directions. related = state tracking helper has noticed that the packet is part of a connection negotiated in another established connection No packet will match these states as part of an initial connection, so the packet will go past this rule ...
by ZeroByte
Wed Jan 10, 2018 4:37 pm
Forum: Forwarding Protocols
Topic: BGP Multipath Load Balancing
Replies: 14
Views: 2912

Re: BGP Multipath Load Balancing

It can be changed if made a filter to discard half of ISP1 prefixes? No, here I mean the route prefixes that I receive from ISP1 and not my advertised networks prefixes. This would only affect your outbound traffic path selection. In fact, the better thing to do about prefixes received from upstrea...
by ZeroByte
Wed Jan 10, 2018 12:16 am
Forum: General
Topic: Rule order for established
Replies: 7
Views: 627

Re: Rule order for established

Typically, you do want that first or at least as early as possible for the very reason you're thinking. If you have some filters that you would like to be able to use to cut off existing flows, you can place those in the prerouting chain of the RAW table, which happens before state tracking. The raw...
by ZeroByte
Tue Jan 09, 2018 11:05 pm
Forum: Forwarding Protocols
Topic: BGP Multipath Load Balancing
Replies: 14
Views: 2912

Re: BGP Multipath Load Balancing

It can be changed if made a filter to discard half of ISP1 prefixes? If you do that, and ISP2 goes down, then any IP within those prefixes not being advertised to ISP1 will not have Internet connectivity. Let's say that you have a /20 of IP space, all contiguous as a single /20 block, e.g. 100.64.8...
by ZeroByte
Tue Jan 09, 2018 6:05 pm
Forum: Beginner Basics
Topic: port forwarding blocks internet
Replies: 5
Views: 641

Re: port forwarding blocks internet

Hallo i want to see if somebody using port-forwarding from witch IP its coming now I only see the IP of the router if i click under IP>Firewall>NAT the option In.Interface:Ether1 now I'm able to see the external IP but this blocks al my outgoing traffic (no access to internet) It sounds like your n...
by ZeroByte
Tue Jan 09, 2018 5:33 pm
Forum: Forwarding Protocols
Topic: BGP Multipath Load Balancing
Replies: 14
Views: 2912

Re: BGP Multipath Load Balancing

First of all - are we talking about outbound traffic or inbound traffic? Local_Pref (and other such metrics) will tune your OUTBOUND preference, but only on the prefixes you receive. If you're getting only a few dozen or few hundred prefixes, then you're going to get almost zero load-balancing from ...
by ZeroByte
Mon Jan 08, 2018 11:10 pm
Forum: Wireless Networking
Topic: Mikrotik user
Replies: 1
Views: 285

Re: Mikrotik user

Your question is a little bit unclear. Do you mean that users are sharing their wifi password, and multiple people are connecting using that? Or do you mean that people are connecting routers to your network and then sharing it with their own WiFi from those routers? There's not much you can do abou...
by ZeroByte
Mon Jan 08, 2018 5:12 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154927

Re: RouterOS v7.0 beta1 - when?

I think he's referring to the fact that BGP runs in a single thread - ergo cannot take advantage of multi-core tile platform. It could be that during convergence, his network performance is spotty due to various reasons, but that's just speculation on my part. At the end of the day, though, there ha...
by ZeroByte
Wed Jan 03, 2018 4:42 pm
Forum: Beginner Basics
Topic: Service port filtering for just one interface
Replies: 4
Views: 403

Re: Service port filtering for just one interface

Disable HW forwarding on the interface in question and then you can use the bridge filter rules to block the traffic. Chain = input Ethernet protocol = ip ip protocol = udp ports=67,68 To disable HW forwarding in versions 6.40.5 and below, you set master-port=none / in v6.41 and after, you un-check ...
by ZeroByte
Tue Jan 02, 2018 4:44 pm
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 1474

Re: RIP routers without next hop

Thanks for clearing up my explanation, Airbanduk.

It's threads like this which lead to my writing the haiku in my signature line. :)
by ZeroByte
Tue Jan 02, 2018 4:27 pm
Forum: The User Manager
Topic: Locked iPhone means no notifications - MT Hotspot [SOLVED]
Replies: 7
Views: 1457

Re: Locked iPhone means no notifications - MT Hotspot [SOLVED]

Personally, I'm not a fan of hotspots. They cause all sorts of things like this to happen. The biggest issue would probably be the increasing use of SSL everywhere, because transparent redirection of SSL causes warnings to pop up on the customers' screens if the devices aren't silently testing for h...
by ZeroByte
Tue Jan 02, 2018 2:18 am
Forum: Forwarding Protocols
Topic: BGP bug - subtle but problematic issue with communities
Replies: 24
Views: 3202

Re: BGP bug - subtle but problematic issue with communities

I haven't tested this lately, but I would suspect that this is on the "fixed in v7" pile of cans being kicked down the road over in Latvia. ;) On this topic, I think it would be nice if the networks list allowed you to assign a routing filter chain per network, similar to the route-map functionality...
by ZeroByte
Tue Jan 02, 2018 2:10 am
Forum: Beginner Basics
Topic: Help with IPV6 on RB750
Replies: 2
Views: 415

Re: Help with IPV6 on RB750

You'll need to get an IPv6 allocation from your ISP which has at least 4 blocks of addresses in it. The standard subnet in IPv6 is a /64. This means at the very minimum, you should receive at least a /62 but recommended best practice is to avoid subneting except on nibble boundaries - which means th...
by ZeroByte
Fri Dec 29, 2017 11:50 pm
Forum: The User Manager
Topic: Locked iPhone means no notifications - MT Hotspot [SOLVED]
Replies: 7
Views: 1457

Re: Locked iPhone means no notifications - MT Hotspot [SOLVED]

Users are not logged out of hotspot when this problem occurs. Keep-alives also fail.. Problem also occurs if phone is added to bypass list and can browse fine without traditional authentication steps. That's not the impression I got reading your original post: Bypassing hotspot - I ping the phone, ...
by ZeroByte
Fri Dec 29, 2017 6:41 pm
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 1474

Re: RIP routers without next hop

But I am afraid you were not accurate in one point, the router does not accept the packages because he hasn't join to the the multicast address for RIP v2. 224.0.0.9, you can add any route to RIP, and then it will work, I added 0.0.0.0/0, and then he reports his membership via IGMPv3 to that multic...
by ZeroByte
Fri Dec 29, 2017 6:39 pm
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 1474

Re: RIP routers without next hop

If it's just going to be the one interface, and you're only expected to receive routes (not transmit them) then it's going to be really safe to just do this: interface=all passive=yes listen=v2 network=0.0.0.0/0 done. Of course your router will now listen for RIP on all interfaces, but you could eas...
by ZeroByte
Thu Dec 28, 2017 9:53 pm
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 1474

Re: RIP routers without next hop

Thanks, but I´m afraid those are the routes that would get sent to your rip neighbours. I´ve already tried to add the remote router as a known neighbour, but no luck neither, ignores the routes receives. Okay - after playing around with RIP a bit, I can say with a little more confidence that I thin...
by ZeroByte
Thu Dec 28, 2017 5:14 pm
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 1474

Re: RIP routers without next hop

I've gotten RIP working on RouterOS before and don't recall it being anything difficult at all. It "just worked" - so I'm about to set it up in GNS3 just to see if anything is difficult or unusual...
by ZeroByte
Thu Dec 28, 2017 2:37 am
Forum: The User Manager
Topic: Locked iPhone means no notifications - MT Hotspot [SOLVED]
Replies: 7
Views: 1457

Re: Locked iPhone means no notifications - MT Hotspot [SOLVED]

You could add TCP port 5223 to the walled garden configuration, as that's the port used by the push notification system. https://developer.apple.com/library/content/technotes/tn2265/_index.html#//apple_ref/doc/uid/DTS40010376-CH1-TNTAG2 The above link is more focused on app development, but I would ...
by ZeroByte
Thu Dec 28, 2017 2:26 am
Forum: General
Topic: POE OUTPUT TIMER
Replies: 1
Views: 233

Re: POE OUTPUT TIMER

One way would be to use a normally-open relay (It seems your current relay is normally-closed since PoE on = device off) and then reboot the Mikrotik to reboot the modem.... Another would be to do a little scripting - make a script which will turn PoE on, then sleep for 5 seconds or so, then turn it...
by ZeroByte
Thu Dec 28, 2017 2:17 am
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 1474

Re: RIP routers without next hop

Did you add a network to RIP which covers the interface where you want to receive RIP routes?
(I'm actually a greenhorn with RIP, but these are the things I would try if messing around with it)
by ZeroByte
Thu Dec 28, 2017 2:06 am
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 58
Views: 9668

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

Unfortunately, I think this is a known issue with Mikrotik users. We are a service provider with SIP phones at our clients' locations, and if we put a backup connection at the site, the SIP connections do exactly what you're describing, and our workaround has been the same - to wipe all SIP connecti...
by ZeroByte
Thu Dec 28, 2017 1:59 am
Forum: Beginner Basics
Topic: dstnat Problem forwarting
Replies: 3
Views: 357

Re: dstnat Problem forwarting

Your SRCnat rules don't change from the typical default: chain=srcnat out-interface=ether1 action=masquerade (assuming that ether1 is the WAN interface) You then make some filter rules to block the 10.20.20.0/24 network from accessing the Internet: (assumes ether2 = 10.10.10.0/24, ether3 is 10.20.20...
by ZeroByte
Thu Dec 28, 2017 12:12 am
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 1474

Re: RIP routers without next hop

Have you tried disabling the passive setting? I think passive instructs RIP not to learn routes....
by ZeroByte
Tue Dec 26, 2017 8:16 pm
Forum: Beginner Basics
Topic: RB2011 password recovery
Replies: 2
Views: 3587

Re: RB2011 password recovery

The serial port access will only give you the ability to have the router boot into netboot mode so that you can overwrite the flash using this method (as opposed to having to hold down the reset button for some amount of time). Serial access does not have any kind of security override backdoor. If y...
by ZeroByte
Tue Dec 26, 2017 8:05 pm
Forum: General
Topic: ICMP download queue priority on Router OS V6
Replies: 3
Views: 554

Re: ICMP download queue priority on Router OS V6

This config worked ok for upload but not for download. The only way i can get it work is setting All-Download Max-limit to 9M, so icmp can take the remaining bandwidth, but that is not the way it is supposed to work right?. Doing download QoS on a device that's south of the bottleneck may not alway...
by ZeroByte
Tue Dec 26, 2017 7:59 pm
Forum: General
Topic: IPIP tunnel and filter rules
Replies: 6
Views: 1436

Re: IPIP tunnel and filter rules

Honestly, though, it might be a lot easier to just use SSTP instead of IPSEC+IPIP
by ZeroByte
Tue Dec 26, 2017 7:57 pm
Forum: General
Topic: IPIP tunnel and filter rules
Replies: 6
Views: 1436

Re: IPIP tunnel and filter rules

So for beginning there are no IPSec now and no IPIP. Then "first" router initiates IPIP tunnel (sends packet to "second" router without IPSec, because it's broken). "Second" router for now hasn't seen any packet before and has firewall rule to drop packet received without IPSec, but for some reason...
by ZeroByte
Tue Dec 26, 2017 7:44 pm
Forum: General
Topic: Mikrotik performance as a client VPN server
Replies: 2
Views: 328

Re: Mikrotik performance as a client VPN server

Will it degrate to much the current experience? Will this work behind a NATTed router? 1: It depends on the router you choose and how powerful it is, especially CPU power and whether it has hardware encryption acceleration. Maybe someone else can recommend specific models. It also depends on how mu...
by ZeroByte
Tue Dec 26, 2017 7:40 pm
Forum: General
Topic: ICMP download queue priority on Router OS V6
Replies: 3
Views: 554

Re: ICMP download queue priority on Router OS V6

I haven't thoroughly considered your situation, but one thing that jumps off the page at me is the fact that your limit-at is set to 10M on the data download queue. Limit-At is better thought of as "guaranteed minimum" So if you add up the limit-at values of the child queues, and this total is large...
by ZeroByte
Thu Dec 21, 2017 8:03 pm
Forum: General
Topic: DHCP + RADIUS - renew does not check RADIUS
Replies: 7
Views: 1369

Re: DHCP + RADIUS - renew does not check RADIUS

It is resolved in newer releases. 6.39 and newer... Apparently I spoke too soon. I had the logging level set too low on my router and saw the RADIUS traffic corresponding with lease renewals. I thought these were AUTH requests/replies, but upon deeper inspection, it appears that this was just RADIU...
by ZeroByte
Thu Dec 21, 2017 5:40 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123693

Re: v6.41rc [release candidate] is released! New bridge implementation!

What's new in 6.41rc66 (2017-Dec-14 13:53): *) dhcp-server - added basic RADIUS accounting; The RADIUS accounting packets for DHCP sessions do not include the User-Name attribute, which should be set as the MAC address of the client, just as it had been sent in the authentication request. Freeradiu...
by ZeroByte
Thu Dec 21, 2017 5:24 pm
Forum: General
Topic: DHCP + RADIUS - renew does not check RADIUS
Replies: 7
Views: 1369

Re: DHCP + RADIUS - renew does not check RADIUS

We reported this exact issue as a bug and worked with Mikrotik support to fix it recently. It is resolved in newer releases. 6.39 and newer... lol - I have two different versions running in my GNS3 testbed, one is 6.41rc66, and the other is 6.38.5 The 6.38 was the first one I put into the test topo...
by ZeroByte
Thu Dec 21, 2017 2:17 am
Forum: Wireless Networking
Topic: avoiding broadcast storm
Replies: 11
Views: 2718

Re: avoiding broadcast storm

Route the end users and do not bridge them. Problem solved before it exists. Agreed - the more you break up your layer2 broadcast domains, the better off you will be and the more impervious to these layer2 issues your network will be. Even if you go with the extreme case where each individual AP is...
by ZeroByte
Thu Dec 21, 2017 2:07 am
Forum: General
Topic: Blocking IP's by region [SOLVED]
Replies: 6
Views: 2177

Re: Blocking IP's by region [SOLVED]

Pretty cool link. The firewall syntax they use shows this was designed for a bit older revs of RouterOS, but it will work just fine in modern revs as well. You may also want to cross-check the address lists generated against some other sites with similar lists, because this can change from time to t...
by ZeroByte
Thu Dec 21, 2017 1:53 am
Forum: General
Topic: Can't ping Users
Replies: 5
Views: 430

Re: Can't ping Users

You may need to break out wireshark and do some packet sniffing at the various connection points in your network to verify whether you see the echo requests from the router and/or replies towards the router. Essentially, find out where they're being dropped and then drill down on that point to deter...
by ZeroByte
Thu Dec 21, 2017 1:49 am
Forum: General
Topic: DHCP + RADIUS - renew does not check RADIUS
Replies: 7
Views: 1369

Re: DHCP + RADIUS - renew does not check RADIUS

I'm sorry I've no answers, but I have a question: :D the lease duration is set by MT dhcp server (settings) or by Radius? I guess deleting leases via script lead to a overlapping addresses risk (can radius take care of this?) Mikrotik uses the DHCP server configuration for lease time unless specifi...
by ZeroByte
Wed Dec 20, 2017 4:52 pm
Forum: General
Topic: Can't ping Users
Replies: 5
Views: 430

Re: Can't ping Users

Not to throw out the simplest thing first, but could they just be blocking your pings?
by ZeroByte
Wed Dec 20, 2017 4:33 pm
Forum: Beginner Basics
Topic: Hostname or MAC of Device [SOLVED]
Replies: 2
Views: 327

Re: Hostname or MAC of Device [SOLVED]

Look in the Switch menu or Bridge menu under the hosts tab. This will show what MAC addresses are connected to which ports.
by ZeroByte
Tue Dec 19, 2017 8:35 pm
Forum: Scripting
Topic: Interface Port reset when there is no Rx traffic
Replies: 2
Views: 583

Re: Interface Port reset when there is no Rx traffic

I'd say that it would be better to get to the bottom of why this happens in the first place, not put a BandAid on it. Have you tried: Switching ethernet cables Switching to a different interface on the Mikrotik Looking at the device's state when not sending packets to the Mikrotik anymore? - e.g. do...
by ZeroByte
Tue Dec 19, 2017 8:20 pm
Forum: Beginner Basics
Topic: failure: only one master port in switch group allowed
Replies: 2
Views: 878

Re: failure: only one master port in switch group allowed

I would think that setting all ports to the same bridge, adding two vlan interfaces to the bridge, and then setting the PVID on each port to match the VLAN you want it to appear in would be the way to do this. That would give full HW-accelerated switching with ports being separated from each other.
by ZeroByte
Tue Dec 19, 2017 5:54 pm
Forum: General
Topic: Blocking IP's by region [SOLVED]
Replies: 6
Views: 2177

Re: Blocking IP's by region [SOLVED]

There's no built-in geo-reference feature in RouterOS.
You will have to use some other source of data to choose your IP ranges and either manually create an address list to your liking, or you can automate it with scripting or BGP distribution.
by ZeroByte
Tue Dec 19, 2017 5:42 pm
Forum: General
Topic: IPIP tunnel and filter rules
Replies: 6
Views: 1436

Re: IPIP tunnel and filter rules

In any case it's oddly that ROS always treats IPIP packets as "established, related" even when creating tunnel. Not at all. Whenever you have connection tracking enabled (which is the default) then every connection is evaluated by the engine. The IPIP tunnel packets are in fact a conversation over ...
by ZeroByte
Tue Dec 19, 2017 4:36 pm
Forum: Beginner Basics
Topic: Need help with my firewall rules [SOLVED]
Replies: 3
Views: 536

Re: Need help with my firewall rules [SOLVED]

There's no need to have a rule to explicitly drop ICMP in your posted filter rules. add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255 add action=accept chain=input connection-state=established add action=accept chain=input connection-state=related add action=drop ch...
by ZeroByte
Mon Dec 18, 2017 9:38 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123693

Re: v6.41rc [release candidate] is released! New bridge implementation!

Don't waste your time. I 've got an answer from MT today: ----------------------------------------------- Hello, Is DHCP client receiving DNS server specified under DHCP server network settings and DNS servers used by router itself? If this is correct, then this is how RouterOS works. We will in fu...
by ZeroByte
Mon Dec 18, 2017 7:19 pm
Forum: General
Topic: IPIP tunnel and filter rules
Replies: 6
Views: 1436

Re: IPIP tunnel and filter rules

The easiest solution would be to use the RAW table. Create a rule in prerouting which matches IPIP traffic from the remote peer and uses the action "no track" This way, the IPIP traffic will never be in the established or related state. Although, I would say that you still run the risk of exfiltrate...
by ZeroByte
Thu Dec 14, 2017 11:05 pm
Forum: General
Topic: DHCP + RADIUS - renew does not check RADIUS
Replies: 7
Views: 1369

DHCP + RADIUS - renew does not check RADIUS

I'm working on a solution that includes RADIUS-backed DHCP as a component. Unfortunately, the DHCP server in ROS seems to have a behavior that works counter to the goal of this design. In a nutshell, whenever I enable RADIUS on the server, the server will send RADIUS authentication requests for new ...
by ZeroByte
Thu Dec 14, 2017 4:55 pm
Forum: Forwarding Protocols
Topic: OSPF filter external E2 [SOLVED]
Replies: 6
Views: 822

Re: OSPF filter external E2 [SOLVED]

Well, I learned something today - summary-address DOES in fact aggregate routes during the tpye7 -> type5 translation process. Re-reading your post actually made me think for a moment and it made sense to me that this would work, which is why I tried it. Thanks for the knowledge boost. Furthermore, ...
by ZeroByte
Thu Dec 14, 2017 4:42 pm
Forum: Forwarding Protocols
Topic: OSPF filter external E2 [SOLVED]
Replies: 6
Views: 822

Re: OSPF filter external E2 [SOLVED]

I designed this using Cisco routers and discovered that the summary-address command only filters more specific prefixes if it matches a type 7 LSA - all type 5 LSAs pass into the backbone even if they match the summary-address prefix. So it only works with NSSAs. However, when I tried this using CC...
by ZeroByte
Thu Dec 14, 2017 12:55 am
Forum: Forwarding Protocols
Topic: OSPF Dual Gateways
Replies: 4
Views: 1024

Re: OSPF Dual Gateways

In Mikrotik, you need to specify a non-default target-scope on routes that will use recursive lookup. Your recursive default GW (via 1.1.0.1 or whatever address you use) must have target-scope=30.... or whatever scope the route towards 1.1.0.1 has. Basically route targets will only match on routes w...
by ZeroByte
Wed Dec 13, 2017 5:25 pm
Forum: Forwarding Protocols
Topic: OSPF Dual Gateways
Replies: 4
Views: 1024

Re: OSPF Dual Gateways

OSPF really is not a policy routing type of protocol. It picks the link which represents the first hop in the shortest path to a given destination. The only "fancy" thing at its disposal is EQMP - equal cost multi-path, which means to load balance between X links if all of them share the same distan...
by ZeroByte
Tue Dec 12, 2017 9:26 pm
Forum: General
Topic: SNAT LOG in mikrotik os
Replies: 5
Views: 399

Re: SNAT LOG in mikrotik os

It's just syslog - any Linux host can do this, and there are many syslog server programs available for Windows. Setting up syslog is something you should probably do some research on and come up with your own solution. And the dynamic NAT functions in Mikrotik are src-nat / dst-nat / masquerade Any ...
by ZeroByte
Tue Dec 12, 2017 8:37 pm
Forum: Forwarding Protocols
Topic: OSPF filter external E2 [SOLVED]
Replies: 6
Views: 822

Re: OSPF filter external E2 [SOLVED]

Cisco summary-address equivalent is /routing ospf area range> That's not true. Cisco also has area range, and it works the same in both ROS / Cisco as far as I can tell. summary-address has no direct equivalent in ROS. Or, is there a way to suppress the translation of NSSA to type 5 at the ABR for ...
by ZeroByte
Tue Dec 12, 2017 8:09 pm
Forum: General
Topic: SNAT LOG in mikrotik os
Replies: 5
Views: 399

Re: SNAT LOG in mikrotik os

tick the logging box on the srcnat rules in your router. (the checkbox is in the actions tab for each rule) The log entries contain the information you want, but the format is defined by the system and the most you can do is put a block of predefined text (log prefix) into each entry. Then set up lo...
by ZeroByte
Tue Dec 12, 2017 8:04 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154927

Re: RouterOS v7.0 beta1 - when?

Could we expect a setup assistent for IPV6 Nat in Router OS? IPv6 NAT - I bet we have to wait longer than the IGMP snooping people waited before it comes out. . . If Mikrotik _does_ decide to add this in, I would request the following flavors (most-preferred first) - NAT64 protocol translation (sta...
by ZeroByte
Tue Dec 12, 2017 4:39 pm
Forum: General
Topic: SSTP & IPv6
Replies: 18
Views: 4856

Re: SSTP & IPv6

Most likely new IPv6 features will not be added in ROS v6. Thanks for being forthright about that. I do hope that ROSv7 reaches beta soon, in that case. I can't even remember all of the things that are promised to be fixed in v7, but it's a lot, and much of it in the IPv4 side of the house. Mikroti...
by ZeroByte
Tue Dec 12, 2017 4:18 pm
Forum: General
Topic: SSTP & IPv6
Replies: 18
Views: 4856

Re: SSTP & IPv6

... and for the sake of completeness for anyone else reading the thread, IPIPv6 tunnel also works for transporting v4 over v6. (just tested to make sure) Currently only tunnels you can use for transporting IPv4 over IPv6 is EoIPv6 Gre6, and IPSec Given that this thread started quite a long while ago...
by ZeroByte
Tue Dec 12, 2017 1:43 am
Forum: General
Topic: SSTP & IPv6
Replies: 18
Views: 4856

Re: SSTP & IPv6

Currently you can't connect to the router using IPv6 address. This feature will be added in future versions. This was 7 years ago. How future was that version you were talking about MRZ? I just tried it in CHR 6.41rc and . . . it stiiiil doesn't work. :( I was talking to Janis at MUM 2017 about the...
by ZeroByte
Mon Dec 11, 2017 10:12 pm
Forum: Beginner Basics
Topic: How to access my AT&t gateway router from LAN [SOLVED]
Replies: 2
Views: 436

Re: How to access my AT&t gateway router from LAN [SOLVED]

Add a second IP to your router's WAN interface - if the modem is connected to ether1, for instance: /ip address add address=192.168.1.253/24 interface=ether1 next add a srcnat rule to access the modem: /ip firewall nat add chain=srcnat dst-address=192.168.1.254 action=src-nat to-address=192.168.1.25...
by ZeroByte
Mon Dec 11, 2017 9:39 pm
Forum: Beginner Basics
Topic: LAN1 & LAN2 can talk
Replies: 2
Views: 510

Re: LAN1 & LAN2 can talk

If you're using policy routing to force LAN1 -> WAN1 and LAN2 -> WAN2, then you need to make sure that LAN1 is in LAN2's routing table, and that LAN2 is in LAN1's routing table. More than likely, you're using the main routing table for one or the other LAN - let's say LAN1 is in the main routing tab...
by ZeroByte
Mon Dec 11, 2017 9:29 pm
Forum: RouterBOARD hardware
Topic: MikroTik HAP AC vs. CRS109-8G-1S-2HnD-IN for home Router / AP
Replies: 3
Views: 652

Re: MikroTik HAP AC vs. CRS109-8G-1S-2HnD-IN for home Router / AP

CRS products are primarily switches, so don't get one of these thinking that it's going to be a high-performance router.

If you like the ports/features of a CRS, you might pair it up with a hEX router.

The hAP AC would be my choice of the things you listed.
by ZeroByte
Mon Dec 11, 2017 6:01 pm
Forum: Beginner Basics
Topic: Configure for ftp forwarding
Replies: 4
Views: 2494

Re: Configure for ftp forwarding

Hi i am not able to give the command: /ip address add address=10.5.8.200/32 interface=Public. we get result : input does not match any value of interface. Why is this..? When I check ip address interface our address is there but interface is ether1 Thanks Ajith This just means that you don't have a...
by ZeroByte
Mon Dec 11, 2017 5:45 pm
Forum: Forwarding Protocols
Topic: Issues with BGP peering and TCP MD5 Keys
Replies: 3
Views: 856

Re: Issues with BGP peering and TCP MD5 Keys

Honestly, I'd just opt to get public IP space from them and not have my router be behind NAT if I were in your situation. Comcast Business uses a special router for their connections - it's actually a Cisco from what I understand, and as such they don't offer placing their modem into bridge mode lik...
by ZeroByte
Thu Dec 07, 2017 4:31 pm
Forum: General
Topic: Ports & Firewall
Replies: 3
Views: 409

Re: Ports & Firewall

Thank you for the help.I wish to access my rb950 via winbox which is running on port 8291 and I have a public IP configured in the rb950. How do I add this to the NAT configure? Regards You don't add NAT rules for talking to the router itself. (NAT means to modify the src/dst IP address and/or port...
by ZeroByte
Tue Dec 05, 2017 5:11 pm
Forum: General
Topic: Outbound Port 25
Replies: 8
Views: 1510

Re: Outbound Port 25

Sounds like it's being blocked by the ISP - or perhaps your router.

Just to verify, in your router, open a terminal window and run the command: /ip firewall nat export
post the results here
preferably in a code block like this so that it's most readable.
by ZeroByte
Tue Dec 05, 2017 4:28 pm
Forum: General
Topic: Ports & Firewall
Replies: 3
Views: 409

Re: Ports & Firewall

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT In a nutshell, you want to use the IP > Firewall > NAT configuration. Add rules to the "dstnat" chain. In each rule, you use dst-port=xxxx as the "outside" port you want mapped, action=dst-nat and to-address=x.x.x.x (inside IP address) - if the i...
by ZeroByte
Tue Dec 05, 2017 12:19 am
Forum: General
Topic: Outbound Port 25
Replies: 8
Views: 1510

Re: Outbound Port 25

Do you know how to perform an SMTP transaction using telnet? If so, then you should telnet to port 25 on some mail server out on the Internet where you know the destination is local - especially if you have a gmail account or something - I just did a quick nslookup to discover that the preferred MX ...
by ZeroByte
Mon Dec 04, 2017 5:53 pm
Forum: Forwarding Protocols
Topic: Issues with BGP peering and TCP MD5 Keys
Replies: 3
Views: 856

Re: Issues with BGP peering and TCP MD5 Keys

I'm not sure exactly what's going on, but off the cuff, I'd say that NAT is the problem. That's because if there's a checksum being generated at the TCP header level, then it's almost certainly including the IP address / port number in that checksum, and there'd be no way for the router to re-calcul...
by ZeroByte
Mon Dec 04, 2017 5:45 pm
Forum: Forwarding Protocols
Topic: BGP Route Reflectors, how to properly configure??
Replies: 19
Views: 10655

Re: BGP Route Reflectors, how to properly configure??

hello, my routes learned by RR appear unreachable in the peers, why is that? Most likely your border routers' Internet attachement circuits' IP ranges are not being advertised into your OSPF. iBGP does not modify the next hop address when it propagates prefixes. So if you have some Border router co...
by ZeroByte
Mon Dec 04, 2017 5:08 pm
Forum: General
Topic: ARP strangeness
Replies: 8
Views: 1130

Re: ARP strangeness

Perhaps my understanding of how you're handing out a /32 is different than the way we're doing it. In our setup (Cisco routers, btw - not Mikrotik on the network side): Interface Gi0/0/0.500 encapsulation dot1q 500 ip unnumbered loopback100 ip verify unicast source reachable-via rx ! ip route 192.0....
by ZeroByte
Sat Dec 02, 2017 2:07 am
Forum: General
Topic: ARP strangeness
Replies: 8
Views: 1130

Re: ARP strangeness

You assume per-customer VLAN, which we're not going to do. One of the goals for this design is to reduce the configuration complexity, and keeping a unique vlan per user is going to run into issues whenever some technician configures a radio with the same vlan as some other customer. We currently gi...
by ZeroByte
Thu Nov 30, 2017 8:18 pm
Forum: General
Topic: ARP strangeness
Replies: 8
Views: 1130

Re: ARP strangeness

You can skip that local-proxy-arp stuff (just use arp:reply-only) if you are willing to hand out 32-bit subnet-masks (255.255.255.255) to your clients via DHCP. This way the only arp-request a client ever asks for is its default gateway. I understand that. However, I don't want to block east/west c...
by ZeroByte
Thu Nov 30, 2017 2:18 am
Forum: General
Topic: ARP strangeness
Replies: 8
Views: 1130

ARP strangeness

Two things: First: I'm considering a network topology model where I want to have strict client isolation at layer2 throughout the customer-access layer of the network, but still allow certain client-to-client communication via the router. That's what local-proxy-arp is for, and it's exactly how to a...
by ZeroByte
Tue Nov 28, 2017 8:32 am
Forum: Forwarding Protocols
Topic: OSPF filter not working
Replies: 7
Views: 1037

Re: OSPF filter not working

I would set /22 to static on border routers to prevent prefix dumpening on internet. What do you mean? What he means is that if you have some border router (BR1) which advertises your prefix based on reachability via IGP (as you're doing with OSPF) then what can happen is that if your internal netw...
by ZeroByte
Tue Nov 28, 2017 8:08 am
Forum: General
Topic: LAN host cannot browse until DHCP lease removed/reset
Replies: 3
Views: 278

Re: LAN host cannot browse until DHCP lease removed/reset

It sounds like you're using a hotspot. . . And your problem sounds to me that the leases and hotspot IP pool are getting out of whack from each other. If you have around 200 users - what IP range / mask are you using inside the hotspot LAN? I'd recommend setting it up as a /22 so that you're not run...
by ZeroByte
Mon Nov 27, 2017 8:27 pm
Forum: General
Topic: manually adding link local IPv6 address
Replies: 11
Views: 2834

Re: manually adding link local IPv6 address

Mikrotik, official answer ? While Mikrotik personnel do participate, this forum is more of a community forum than an official communication medium - so I would suggest that you send an email to support requesting this feature. I did list this as one of the things I consider both important and "easy...
by ZeroByte
Mon Nov 27, 2017 7:10 pm
Forum: Forwarding Protocols
Topic: Can i Use Perfix-list in bgp filters [SOLVED]
Replies: 4
Views: 557

Re: Can i Use Perfix-list in bgp filters [SOLVED]

Suppose the chain is called FilterPrefixes and you want to allow 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, and deny all other prefixes The behavior of FilterPrefixes should be: If the prefix is acceptable, then FilterPrefixes will return to the calling chain. If the prefix is unacceptable, then ...
by ZeroByte
Mon Nov 27, 2017 5:02 pm
Forum: General
Topic: ipv6 - unable to reach beyond mikrotik.
Replies: 25
Views: 1520

Re: ipv6 - unable to reach beyond mikrotik.

About ND proxy on mikrotik: contact the support. But it is easier (and correct, IMHO) to inform your ISP about RIPE guidelines. Agree 100% ND proxy is a kludge in this situation. If you had a large network with lots of network segments and hosts, the ISP's ONT could quite easily exhaust its neighbo...
by ZeroByte
Tue Nov 21, 2017 11:50 pm
Forum: General
Topic: manually adding link local IPv6 address
Replies: 11
Views: 2834

Re: manually adding link local IPv6 address

Unfortunately, Mikrotik does not allow manual configuration of the link-local address. It auto-generates the address using EUI-64. You could possibly create a specific link-local address based on this by manually specifying the MAC address of your WAN interface to a value whose EUI-64 conversion is ...
by ZeroByte
Tue Nov 21, 2017 11:20 pm
Forum: General
Topic: ipv6 - unable to reach beyond mikrotik.
Replies: 25
Views: 1520

Re: ipv6 - unable to reach beyond mikrotik.

Your traceroute shows exactly that the ISP router has no routes to you for your LAN addresses. Per ISP docs X:X:X:100::/56 is essentially statically assigned to us. that brings us to : X:X:X:0100::0002 - first usable X:X:X:01ff:ffff:ffff:ffff:fffe - last usable. This makes zero sense. Here's what it...
by ZeroByte
Tue Nov 21, 2017 8:40 pm
Forum: General
Topic: ipv6 - unable to reach beyond mikrotik.
Replies: 25
Views: 1520

Re: ipv6 - unable to reach beyond mikrotik.

Stop and consider basic routing (regardless of IPv4 or IPv6, the rules are the same). Your ISP's router must know that the next hop to reach X:X:X:102::/64. They must have a route in their router which states that the next hop to reach that destination (your LAN) is X:X:X:100::8. If they have no suc...
by ZeroByte
Fri Nov 17, 2017 12:31 am
Forum: General
Topic: Port knocking source address list [SOLVED]
Replies: 23
Views: 2361

Re: Port knocking source address list [SOLVED]

OK I'm a bit confused now... does the Mikrotik have an implicit permit all at the end of the firewall rules that we have to explicitly deny? I just inserted a new rule 25 to explicitly drop wan dstnat at the very end.... iptables which I imagine this firewall is based on has an implicit deny all at...
by ZeroByte
Fri Nov 17, 2017 12:26 am
Forum: Beginner Basics
Topic: Is this simple CAPsMAN Setup possible?
Replies: 11
Views: 1191

Re: Is this simple CAPsMAN Setup possible?

Well, I don't know much about CAPsMAN but from what I gather, it's creating interfaces representing the wlan interfaces of the CAPs, and you need to give them a bridge to join. In this case, you'd make a bridge, let's call it LAN. So tell the CAPs to bridge on the LAN bridge. What you do next is con...
by ZeroByte
Thu Nov 16, 2017 11:43 pm
Forum: Beginner Basics
Topic: Is this simple CAPsMAN Setup possible?
Replies: 11
Views: 1191

Re: Is this simple CAPsMAN Setup possible?

Yep. This is simple from the network configuration side of things. Your hEX PoE will basically be just another switch. In the interfaces menu, make sure that interfaces ether2 - ether5 set as slaves to ether1 (master=ether1) You won't need any IP firewall rules, etc. Just put an IP address on the et...
by ZeroByte
Thu Nov 16, 2017 11:35 pm
Forum: Forwarding Protocols
Topic: IPv6 from internet to IPv4 in local net
Replies: 7
Views: 2110

Re: IPv6 from internet to IPv4 in local net

The first thing to remember is that even though both are called IP, they're pretty much completely separate protocols. The IPv6 firewall rules don't affect IPv4 at all, and vice-versa. What you need to do is obtain a block of IPv6 address space from your provider, apply it to your interfaces, and te...
by ZeroByte
Thu Nov 16, 2017 11:30 pm
Forum: General
Topic: /queue tree parent=global
Replies: 12
Views: 25537

Re: /queue tree parent=global

No, I'd say let the WAN queue trees parent to the proper interfaces and use the same mark for either one - less marks. Basically, the global HTB is one of the last things to happen, and of course interface queue trees happen even later, which is why the postrouting chain is your last chance to mark ...
by ZeroByte
Thu Nov 16, 2017 10:01 pm
Forum: General
Topic: /queue tree parent=global
Replies: 12
Views: 25537

Re: /queue tree parent=global

okay - what you do is make a general priority marking set of rules in the forward chain. Then in postrouting, you can use the existing marks to re-mark the upstream traffic with wan-specific marks. e.g.: out-interface-list=!wan action=accept passthrough=no (for efficiency) packet-mark=prio1 new-pack...
by ZeroByte
Thu Nov 16, 2017 1:29 am
Forum: General
Topic: /queue tree parent=global
Replies: 12
Views: 25537

Re: /queue tree parent=global

I would think that if you have a global queue tree and a queue tree on an interface that traffic would pass through both queues, and get limited by whichever one runs out of tokens first. I'm having trouble decoding what it is you want to do. It sounds like you want to do a rate-limit queue which ap...
by ZeroByte
Thu Nov 16, 2017 1:13 am
Forum: RouterBOARD hardware
Topic: Hardware recommendation for SOHO environment
Replies: 9
Views: 1250

Re: Hardware recommendation for SOHO environment

If you use a separate switch, then I'd recommend using the hEX instead of the hEX PoE because the hEX has a more powerful CPU - so it can handle more traffic / firewall complexity / etc. I've got one on my desk that I haven't gotten around to stress testing yet - but it's supposed to be able to hand...
by ZeroByte
Thu Nov 16, 2017 1:08 am
Forum: General
Topic: How to add public static IP to WAN?
Replies: 4
Views: 1034

Re: How to add public static IP to WAN?

If their network doesn't route the public IP address directly to your equipment, then there's nothing you can do to apply that address to your router. "Thank you Mario, but our princess is in another castle." Chances are good that they've done a 1:1 NAT and forwarded the traffic to your internal add...
by ZeroByte
Thu Nov 16, 2017 12:42 am
Forum: General
Topic: Port knocking source address list [SOLVED]
Replies: 23
Views: 2361

Re: Port knocking source address list [SOLVED]

The most likely reason your filter didn't work on the "wide open" dstnat rule is because you're using the input chain for most of the work in your port knocking sequence, and I presume that you are also trying to filter the pinhole the same way. Since your knock-protected port is one which will be d...
by ZeroByte
Tue Nov 14, 2017 1:47 am
Forum: General
Topic: Port knocking source address list [SOLVED]
Replies: 23
Views: 2361

Re: Port knocking source address list [SOLVED]

I have one comment about your port knock design. This may sound nit-picky, but following best practice and "structured" design helps make things easier to troubleshoot for both yourself and for anyone else who has to administrate a box after you.... May not be an issue if this is a home router, but ...
by ZeroByte
Tue Nov 14, 2017 12:45 am
Forum: General
Topic: Port knocking source address list [SOLVED]
Replies: 23
Views: 2361

Re: Port knocking source address list [SOLVED]

I tried the established/related with an IKe2 connection however I can't get it blocked in filters. I assume the IPSEC module establish the connection by itself, and the only way to block is to use RAW filter. Not sure I understand the problem.... Do you mean that IKE2 works even when you have filte...
by ZeroByte
Mon Nov 13, 2017 9:11 pm
Forum: General
Topic: Port knocking source address list [SOLVED]
Replies: 23
Views: 2361

Re: Port knocking source address list [SOLVED]

Actually, what you can do is make the final rule which opens the protected port do so with only a 60-second timeout. So long as your filter rules have entries which allow established,related connections, then the access to the protected port will continue working even after the knock expires. Exampl...
by ZeroByte
Mon Nov 13, 2017 8:26 pm
Forum: General
Topic: Port knocking source address list [SOLVED]
Replies: 23
Views: 2361

Re: Port knocking source address list [SOLVED]

You can add a src-address=x.x.x.x/m criteria to the first port in the port knock list. Also, if you have more than one range of addresses, you can create an address list called e.g. knock_sources, populate it with the IP blocks you wish to permit and use src-address-list=knock_sources in the first p...
by ZeroByte
Thu Nov 09, 2017 10:17 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154927

Re: RouterOS v7.0 beta1 - when?

You must find a solution to the problem of Internet theft through the Mac
MAC-based authentication/accounting is broken in general because it is trivial to spoof MAC addresses. The solution is to utilize some higher level of AAA such as PPPoE or WPA2-Enterprise
by ZeroByte
Thu Nov 09, 2017 4:23 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7907

Re: Help me stop MAC spoofing

The point is isolate the clients from each other any way. Segmentation in subnets is solution. I'm not saying client isolation is bad. I'm just saying that doesn't help in the OP's problem. OP's problem is that wireless clients are spoofing the MAC addresses of other customers to have their traffic...
by ZeroByte
Wed Nov 08, 2017 10:25 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7907

Re: Help me stop MAC spoofing

How you sniff the traffic of other devices if they are in another broadcast domain? Your network ends on terminating interface. I go to the other device physically - pull its cable out and sniff it from a direct connection to the device. Then I connect into its port and go online with that MAC from...
by ZeroByte
Wed Nov 08, 2017 8:56 pm
Forum: Beginner Basics
Topic: srcnat with interface list doesn't work
Replies: 4
Views: 802

Re: srcnat with interface list doesn't work

ether2 is not the out interface - the vlan interface 463 is your out-interface. Or, if you have a bridge with vlan463 on it as a port, then the bridge interface should be the WAN interface. Whatever interface has the dhcp-client tied to it - that should be the wan. and for any more configuration pos...
by ZeroByte
Wed Nov 08, 2017 8:27 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7907

Re: Help me stop MAC spoofing

How about segment the network in few small int different interfaces and filter hosts in terminating points by src-mac? Okay - so I'll take my laptop there, unplug the expected device, note its MAC address (which I can ultimately learn by plugging my laptop directly into the "mac-verified" device's ...
by ZeroByte
Wed Nov 08, 2017 6:33 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7907

Re: Help me stop MAC spoofing

scroll up..... and see that I would go with WPA2-Enterprise i.e. AAA-backed per-user authentication That STILL doesn't stop the endpoint's ability to spoof MAC addresses but at least you can disable the account of anyone caught doing it and that device won't be able to join the network. At the end o...
by ZeroByte
Wed Nov 08, 2017 4:34 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7907

Re: Help me stop MAC spoofing

Why you don't think to use dhcp-server with adding arp for static leases without arp requests from clients? If its wi-fi, disable default forwarding. This will not stop MAC spoofing. This is a method to enforce the use of DHCP on the LAN, and disabling default forward blocks the clients from direct...
by ZeroByte
Tue Nov 07, 2017 9:24 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7907

Re: Help me stop MAC spoofing

Given the choice between PPPoE and WPA2-enterprise, I'd choose the latter because access to the WiFi network is controlled at the front door by AAA. It still cannot stop MAC spoofing but at least the spoofing client must possess active credentials to join the network before being naughty, and those ...
by ZeroByte
Thu Oct 26, 2017 2:12 am
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 855

Re: best path choose wrongly

Hi Yes none of my isps do not offer community so the only way is send smallest prefix? ... or talk to their techs to see if they'll manually apply a special local_pref policy on their peering session with you. One of my transit providers doesn't support communities themselves, but they do pass comm...
by ZeroByte
Thu Oct 26, 2017 1:58 am
Forum: General
Topic: VoIP - Implemented in RouterOS
Replies: 23
Views: 2493

Re: VoIP - Implemented in RouterOS

It would be pretty neat to have a "pbx" menu where adding phones is as easy as clicking the blue plus sign, assigning a phone number to the new extension and MAC address, etc - but coming from someone who works in the industry, I can tell you that this is a real bottomless pit of features. SIP is su...
by ZeroByte
Thu Oct 26, 2017 1:51 am
Forum: Beginner Basics
Topic: Business with limited Bandwidth and out of control usage
Replies: 6
Views: 659

Re: Business with limited Bandwidth and out of control usage

Mikrotik routers can do what you're talking about, but they aren't the easiest tool to use for beginners, especially where QoS scheduling is concerned. On the other hand, they're quite inexpensive and quite flexible so if you have a good grasp of networking functions / behaviors, then you can probab...
by ZeroByte
Fri Oct 20, 2017 10:34 pm
Forum: General
Topic: Understanding Mikrotik's definition of "Throughput" [SOLVED]
Replies: 5
Views: 760

Re: Understanding Mikrotik's definition of "Throughput" [SOLVED]

If my thinking is correct on your post, why will it not be 1.25Gb as that is the theoretical limit for Gb interface and will be closer to Mikrotik's published data? This is because a router can forward more throughput than the maximum data rate of a single port. Suppose you have a router with 4 gig...
by ZeroByte
Fri Oct 20, 2017 10:14 pm
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 855

Re: best path choose wrongly

Just to be clear: When I say set local_pref, what I mean is use BGP communities. LocalPref itself is a non-transitive attribute on BGP routes - meaning that it only has meaning within the same AS. You could set localpref=999 on a prefix, but that information won't be transmitted to any eBGP neighbor...
by ZeroByte
Fri Oct 20, 2017 10:00 pm
Forum: Forwarding Protocols
Topic: sACN with PIM over multiple networks
Replies: 3
Views: 477

Re: sACN with PIM over multiple networks

You don't need to do any routes for the multicast addresses because multicast routing sort of works backwards from unicast routing. I.e. it routes away from the unicast IP of the source address. Essentially, a multicast packet for a given group will be forwarded to every subscribed port which is not...
by ZeroByte
Fri Oct 20, 2017 8:02 pm
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 855

Re: best path choose wrongly

That will work. I generally hate this kind of solution because it's part of the reason why the global BGP table is working its way near 1 million routes. . . In your original post you talk about how provider 2 is an indirect BGP connection, and that they don't support communities, etc. Does provider...
by ZeroByte
Fri Oct 20, 2017 7:05 pm
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 855

Re: best path choose wrongly

You can't. Best path selection uses the following metrics: Highest Weight Metric Highest Local Preference Metric Locally-generated prefix > Learned Prefix Shortest AS-Path Length several more tiebreakers afterwards Thus a prefix with an AS-PATH length of 50 and local-preference 101 would be chosen o...
by ZeroByte
Thu Oct 19, 2017 6:14 pm
Forum: Beginner Basics
Topic: Allow management only on a specific (lan) port
Replies: 5
Views: 2787

Re: Allow management only on a specific (lan) port

The new style of bridging is currently only operational in the 6.41rcXX train (RC = release candidate - i.e. "beta")

Looks like you're getting a good handle on things otherwise, though.
by ZeroByte
Mon Oct 16, 2017 7:53 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 105561

Re: RouterOS NOT affected by WPA2 vulnerabilities

It's funny that Mikrotik already had this patched in the most recent bugfix and stable release trains, while Ubiquiti's response on AirMax is that it's "not as easy" on AirMax shots, and that a patched beta will be released later this week.
by ZeroByte
Mon Oct 16, 2017 6:40 pm
Forum: Wireless Networking
Topic: Where does Mikrotik stand on this?
Replies: 2
Views: 549

Re: Where does Mikrotik stand on this?

This is a pretty interesting read. Thanks for sharing.
by ZeroByte
Mon Oct 16, 2017 6:21 pm
Forum: Beginner Basics
Topic: Allow management only on a specific (lan) port
Replies: 5
Views: 2787

Re: Allow management only on a specific (lan) port

The drop rule in the bridge filter is not going to help. add action=drop chain=forward dst-address=192.168.1.1/32 in-interface=!ether4 log=yes mac-protocol=ip forward chain only applies to traffic going through the bridge - e.g. in ether1 and out ether2. If you're trying to filter traffic to/from th...
by ZeroByte
Sat Oct 14, 2017 1:59 am
Forum: Beginner Basics
Topic: Small home network issue
Replies: 3
Views: 453

Re: Small home network issue

I would suspect that PoE is somehow responsible. If you want to test this, put a switch between ether1 and the ONT. If it works with this in the middle, then probably there's something on the wire coming from the ONT that makes the Mikrotik expect PoE power but get none. Worst case, use another inte...
by ZeroByte
Sat Oct 14, 2017 1:52 am
Forum: Forwarding Protocols
Topic: OSPF - one way neighbor
Replies: 2
Views: 924

Re: OSPF - one way neighbor

Other things to check: MTU OSPF Interface type (p2p vs broadcast vs NBMA etc) Passive interface? Both routers have the correct OSPF network defined to include the common interface between them If there is some 3rd party wireless bridge between the devices, make sure it's not blocking multicast proba...
by ZeroByte
Fri Oct 13, 2017 11:19 pm
Forum: General
Topic: Mikrotik IPV6 Network, IPV4 ISP
Replies: 4
Views: 785

Re: Mikrotik IPV6 Network, IPV4 ISP

If you don't control your public IP then there's really not much that you can do.

If your device has a static public IP address, then you can either use tunnelbroker, or even get your feet wet using 6to4 addressing.
by ZeroByte
Fri Oct 13, 2017 11:16 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

... assuming OP wants to run beta code on their device. If it's just a lab, then that's cool, but I wouldn't ever want to run RC code on anything production.
by ZeroByte
Fri Oct 13, 2017 11:10 pm
Forum: Beginner Basics
Topic: Allow management only on a specific (lan) port
Replies: 5
Views: 2787

Re: Allow management only on a specific (lan) port

See this thread:
viewtopic.php?f=13&t=122279

It's exactly the same issue except that you'll do the blocking in the input chain instead of the forward chain
by ZeroByte
Fri Oct 13, 2017 5:33 pm
Forum: Beginner Basics
Topic: access winbox from internet
Replies: 9
Views: 1931

Re: access winbox from internet

Use of non-standard port numbers (for God's sake, don't use port 80), This isn't really useful in today's world. Port scanners also fingerprint the sockets they discover, so even if it's sshd running on port 9147, they'll find and catalog it. All of the other points are spot-on, though. i don't kno...
by ZeroByte
Fri Oct 13, 2017 5:20 pm
Forum: Beginner Basics
Topic: Help me stop MAC spoofing
Replies: 37
Views: 7907

Re: Help me stop MAC spoofing

You should probably consider switching to PPPoE instead of hotspot if you have such rampant issues with end-user abuse. Another option to experiment with would be cookie logins. Unfortunately, there is nothing much you can do to stop devices from MAC spoofing. Client isolation won't completely fix t...
by ZeroByte
Fri Oct 13, 2017 4:35 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

In their basic modes, it's best (or at least it works for me) to think of the HW switch groups and the software bridges as being simple dumb switches - i.e. they agnostically pass tagged and untagged frames "as-is" So if you bridge ether1 and ether2 with a soft bridge, for instance, then both will b...
by ZeroByte
Fri Oct 13, 2017 2:18 am
Forum: Forwarding Protocols
Topic: filtering ospf routes..
Replies: 4
Views: 1895

Re: filtering ospf routes..

Upon some reflection, I think I see what your problem might be, so let's see if I have this right: There is a set of "on-site" routers which connect to a central router at a central site. You want each on-site router to advertise whatever 10.x.x.x subnet(s) are attached to the on-site router, and no...
by ZeroByte
Fri Oct 13, 2017 1:26 am
Forum: Forwarding Protocols
Topic: filtering ospf routes..
Replies: 4
Views: 1895

Re: filtering ospf routes..

Then the router behind this one will be responsible for originating its own prefixes. There are only a few real ways to filter OSPF routes: 1) Don't allow them into the database to begin with 2) aggregating routes at area borders (only works for interior routes - not external (redistributed) routes)...
by ZeroByte
Fri Oct 13, 2017 1:03 am
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

You've chosen an interesting time to attempt this because the way it's done is going to change with the next version of ROS. (v6.41) At that point, the bridge will be vlan-aware and you'll be able to do what you want much more easily. In today's version, the best way to go about it, given your requi...
by ZeroByte
Fri Oct 13, 2017 12:55 am
Forum: General
Topic: DHCP Client with Comcast mdm/rtr in Bridge mode
Replies: 1
Views: 345

Re: DHCP Client with Comcast mdm/rtr in Bridge mode

Perhaps the modem has a limit to how many IP addresses it will assign to clients, and it still remembers the MAC address of the laptop? Does it work if you reboot the modem between attempting with PC and attpempting with Mikrotik? Does it work if you set the MAC address on the Mikrotik's wan interfa...
by ZeroByte
Fri Oct 13, 2017 12:42 am
Forum: Beginner Basics
Topic: Block internet access on specific physical port
Replies: 16
Views: 4384

Re: Block internet access on specific physical port

Oh wait - I got it backwards. You want LAN<>LAN but no Internet. Whoops. Delete the forward chain filter rules and use these rules instead: action=drop chain=input in-bridge=bridge1 in-interface=ether4 mac-protocol=ip dst-address=!192.168.0.0/24 action=drop chain=output out-bridge=bridge1 out-interf...
by ZeroByte
Thu Oct 12, 2017 9:06 pm
Forum: Forwarding Protocols
Topic: filtering ospf routes..
Replies: 4
Views: 1895

Re: filtering ospf routes..

Turn off redistribute connected.
by ZeroByte
Thu Oct 12, 2017 9:03 pm
Forum: Forwarding Protocols
Topic: BGP Dual-homing using 2 x CCR1016-12G or just one CLOUD CORE CCR1036-12G-4S-EM. What would you do?
Replies: 5
Views: 806

Re: BGP Dual-homing using 2 x CCR1016-12G or just one CLOUD CORE CCR1036-12G-4S-EM. What would you do?

For me, it would depend on several things. In general, the pros/cons are that a single router is easier to manage and produces less configuration complexity in your network's design, but it leads to a single point of failure being the router itself. Generally, though, the circuits and other external...
by ZeroByte
Thu Oct 12, 2017 8:47 pm
Forum: Beginner Basics
Topic: Block internet access on specific physical port
Replies: 16
Views: 4384

Re: Block internet access on specific physical port

Okay - so this means that even using IP firewall for the bridge won't allow you to filter on a specific bridge port. It's correct for the interface to become slave when you add to a bridge. Slave means that the interface cannot be used directly as an IP interface because it's acting as a component o...
by ZeroByte
Thu Oct 12, 2017 6:08 pm
Forum: General
Topic: Asymmetric routing
Replies: 4
Views: 1004

Re: Asymmetric routing

Previously, I needed to use a Routing Mark and Mangle or Routing Rules to be able access to Mikrotik thru both WAN interfaces. This is correct. Without any kind of policy routing, the Mikrotik is just going to use the default GW to reach you, and if that route points out via ISP1, then requests com...
by ZeroByte
Thu Oct 12, 2017 5:49 pm
Forum: Beginner Basics
Topic: access winbox from internet
Replies: 9
Views: 1931

Re: access winbox from internet

router ip:192.168.1.1 (i want maintain the router from port 8728 ,8291,80) nas :192.168.1.100 (i want from 8080,21) nintendo switch :192.168.1.18 (need DMZ,because have not UPNP) I have a Mikrotik router at my house and my Nintendo switch works just fine w/o any NAT rules or UPNP whatsoever. FTP to...
by ZeroByte
Thu Oct 12, 2017 5:40 pm
Forum: Beginner Basics
Topic: Block internet access on specific physical port
Replies: 16
Views: 4384

Re: Block internet access on specific physical port

Yes on the master=none..... add ether4 to main LAN bridge1? Or I need to create another one, like bridge2? Do I need to add other interfaces to bridge2 like ether2, ether3, ether5? Thanks. If you want ether4 to be in the same network as the rest of the LAN, then yes, add it to the same bridge. If yo...
by ZeroByte
Thu Oct 12, 2017 1:22 am
Forum: Beginner Basics
Topic: forward chain: no packets go through [SOLVED]
Replies: 10
Views: 1037

Re: forward chain: no packets go through [SOLVED]

okay - so this means you're using a bridge for the LAN interfaces? If so, then that's the reason you're not seeing traffic in the forward chain, because the IP firewall only receives packets that flow through IP interfaces. If you're trying to filter traffic between bridged interfaces, then you need...
by ZeroByte
Thu Oct 12, 2017 12:37 am
Forum: Beginner Basics
Topic: Block internet access on specific physical port
Replies: 16
Views: 4384

Re: Block internet access on specific physical port

Earlier in the thread, it was explained that you must un-slave interfaces such as ether4 that you've posted screenshots about.

Furthermore, you will need to add ether4 to the LAN bridge, and then enable "use IP firewall" on the bridge.
by ZeroByte
Wed Oct 11, 2017 11:10 pm
Forum: Forwarding Protocols
Topic: IPv6 Settings disables eBGP
Replies: 7
Views: 635

Re: IPv6 Settings disables eBGP

Try making the neighbor be ::1 and the Mikrotik be ::2 on that network, instead of ::0 and ::1
::0 has special meaning.
by ZeroByte
Wed Oct 11, 2017 7:11 pm
Forum: Forwarding Protocols
Topic: IPv6 Settings disables eBGP
Replies: 7
Views: 635

Re: IPv6 Settings disables eBGP

The nieghbor configuration looks strange to me, being that you configured it to be: The BGP Configuration add address-families=ipv6 instance=IPV6 name=WAVEIPV6 remote-address=2600:2105:1:: remote-as=11404 ttl=default 2600:2105:1::/64 is the same as 2600:2105:1::0 . . . which means "segment router ad...
by ZeroByte
Tue Oct 10, 2017 11:08 pm
Forum: General
Topic: link between 2011UiAS and CRS125-24G-1S 100Mb/sec. [SOLVED]
Replies: 5
Views: 621

Re: link between 2011UiAS and CRS125-24G-1S 100Mb/sec. [SOLVED]

Just some silly things to think of: 1) You confirmed the cable works for a 1Gbps link and not just a 100Mbps link, because 1Gbps does use all 8 pins where a 100Mbps link only uses 4 2) You're using ether1 - ether5 on the 2011 (ports 6 - 10 are 10/100 only) 3) There is nothing in the CRS's configurat...
by ZeroByte
Tue Oct 10, 2017 5:17 pm
Forum: Beginner Basics
Topic: Network Segmentation
Replies: 6
Views: 1109

Re: Network Segmentation

Thanks, ZeroByte. So would only the bridge IP be pingable after I configure the firewall to drop communication between LANS 1 & 2? Correct. Any traffic which is to/from the router itself is processed in the input / output chains and not the forward chain, even if a device on LAN1 is communicating w...
by ZeroByte
Mon Oct 09, 2017 4:36 am
Forum: Beginner Basics
Topic: Network Segmentation
Replies: 6
Views: 1109

Re: Network Segmentation

Oh yeah, the router will forward packets between IP ranges unless you tell it not to using a firewall filter rule as acruhl states. One more thing to point out: once you add a filter rule to the forward chain to block lan-to-lan communication, you will still be able to ping the Mikrotik's IP address...
by ZeroByte
Sun Oct 08, 2017 4:53 am
Forum: Beginner Basics
Topic: Network Segmentation
Replies: 6
Views: 1109

Re: Network Segmentation

Go into bridge > ports and check which interfaces are connected to your bridge. Any interface of the bridge will be in the same layer 2 broadcast (thus the same IP network) with the others. The easiest thing to do is to make a bridge for each LAN segment that you want, and to connect the physical in...
by ZeroByte
Thu Oct 05, 2017 11:48 pm
Forum: Beginner Basics
Topic: Can't obtain IP address [SOLVED]
Replies: 4
Views: 7574

Re: Can't obtain IP address [SOLVED]

... or if the HAP is strictly acting as an AP (you have some other device working as your router) then make sure the wlan interface is bridged to the LAN interface. If the HAP is all-in-one and the hard-wired computers are getting IP addresses properly, then you probably just need to go into the bri...
by ZeroByte
Thu Oct 05, 2017 11:43 pm
Forum: Beginner Basics
Topic: Web Proxy
Replies: 3
Views: 896

Re: Web Proxy

The non-hotspot way is not as tight, because it can only block / allow certain IP addresses.... So if a permitted IP address hosts a site you want as well as a site you do not want, then there's no way (using this method alone) to block the other site(s) also being hosted on the same server. Anyway,...
by ZeroByte
Thu Oct 05, 2017 11:27 pm
Forum: Forwarding Protocols
Topic: BGP routes
Replies: 2
Views: 585

Re: BGP routes

The only option I can see is to block the more specific prefix from your other peering point(s). Chances are good that this more specific route is traffic engineering on the other party's part. Routing will always choose the longest prefix matching a given destination - that is the fundamental rule ...
by ZeroByte
Thu Oct 05, 2017 10:33 pm
Forum: General
Topic: Port Forwarding - It should be easy but it isn't [SOLVED]
Replies: 11
Views: 1047

Re: Port Forwarding - It should be easy but it isn't [SOLVED]

I see that you listed dst-address=xxx.xxx.xxx.xxx on rule 1 in the filter rules. I presume this means that your rule is set to match when dst-address = the public IP address. This would be incorrect, as the filter functionality happens after dstnat has already taken place (and before srcnat) so you ...
by ZeroByte
Thu Oct 05, 2017 12:19 am
Forum: General
Topic: Internet configuration with CGNAT
Replies: 9
Views: 2510

Re: Internet configuration with CGNAT

I was assuming that the carrier has that /32 routed at the GCNat WAN address, in which case the packet would be processed as a "forwarding" candidate - which would match the connection state tracking, so any previously-established outbound connections in the table should cause the replies to get map...
by ZeroByte
Wed Oct 04, 2017 7:50 pm
Forum: General
Topic: Internet configuration with CGNAT
Replies: 9
Views: 2510

Re: Internet configuration with CGNAT

You need to find out exactly what the other router is doing that your Mikrotik is not doing, and then we can help figure out how to make the Mikrotik do the same. The ultimate thing to know is: what happens on the wire? Is any kind of tunnel being established? Does the working router send/receive pa...
by ZeroByte
Tue Oct 03, 2017 10:22 pm
Forum: Beginner Basics
Topic: port forwarding help
Replies: 5
Views: 656

Re: port forwarding help

If you move the service port to something nonstandard, then you don't need to make any dstnat rules for this. Just make sure that the input chain of the firewall filters will allow this connection from the WAN interface. Preferably, limit this to certain remote IP addresses if your remote location i...
by ZeroByte
Tue Oct 03, 2017 5:51 pm
Forum: General
Topic: Internet configuration with CGNAT
Replies: 9
Views: 2510

Re: Internet configuration with CGNAT

okay - I'd say this is what you need to do: starting with a default configuration, perform these extra configurations: (use the terminal window to enter the commands) /interface vlan add name=wan vlan-id=20 interface=ether1 /ip address add address=100.64.139.40/30 interface=wan /ip route add dst=0.0...
by ZeroByte
Mon Oct 02, 2017 11:11 pm
Forum: General
Topic: web server tcp help
Replies: 3
Views: 572

Re: web server tcp help

my only last question was just wanted to make sure rest of the ports are good like i meant i specifed the ip addres staeait to the server so my pc wont have port 80 open I'm not 100% sure I understand this question - I think you want to know whether allowing port 80,443 has opened these ports for a...
by ZeroByte
Mon Oct 02, 2017 5:33 pm
Forum: Beginner Basics
Topic: Web Proxy
Replies: 3
Views: 896

Re: Web Proxy

You could use hotspot + walled garden. The full access users have a logon that lets them use the full Internet. The login screen could simply state that you must login to use sites other than X, Y, and Z... One problem could be if there is internal device-to-device communication within the LAN, a ho...
by ZeroByte
Mon Oct 02, 2017 5:23 pm
Forum: Wireless Networking
Topic: Wireless Sector Capactiy Planning Question
Replies: 7
Views: 930

Re: Wireless Sector Capactiy Planning Question

This is outdoor fixed wireless backhaul. If I have a customer who adds X amount to their allowed upstream on the backhaul circuit (i.e. there's a layer3 break between the customer's actual LAN and this wireless link) and I allow 3 more Mbps on their upstream-facing queue, and they start using it, wi...
by ZeroByte
Mon Oct 02, 2017 4:45 pm
Forum: Beginner Basics
Topic: Multiple DNS server issues
Replies: 9
Views: 2103

Re: Multiple DNS server issues

DNS proxy is needed because the hotspot name is important. You'll also find that name pops up in the DNS static entries as a dynamic item. DNS proxy is a subset of the hotspot functionality which is why the service works even when "allow remote requests" is set to no. I'm pretty sure that the non-ho...
by ZeroByte
Fri Sep 29, 2017 11:45 pm
Forum: Forwarding Protocols
Topic: NetBIOS block ?
Replies: 10
Views: 2811

Re: NetBIOS block ?

add action=dst-nat chain=dstnat dst-address=77.162.238.*** to-addresses=\ 192.168.10.40 Remove this nat rule , because you are forward all ports to the local address 192.168.10.40 , that is, they become visible to the public ! I suspected there was a sort of "dmz" rule in the NAT because surely nob...
by ZeroByte
Fri Sep 29, 2017 10:22 pm
Forum: Forwarding Protocols
Topic: NetBIOS block ?
Replies: 10
Views: 2811

Re: NetBIOS block ?

/ip firewall filter add chain=forward protocol=udp dst-port=137-139 action=drop in-interface=X add chain=forward protocol=tcp dst-port=137-139 action=drop in-interface=X X = the name of your interface with the public IP address on it. for good measure, you can also block it outbound: /ip firewall fi...
by ZeroByte
Fri Sep 29, 2017 10:15 pm
Forum: Beginner Basics
Topic: What are these Firewall NAT rules doing? [SOLVED]
Replies: 1
Views: 347

Re: What are these Firewall NAT rules doing? [SOLVED]

There could be more conditions that this view is not showing, but given what's on the screen: 0 = don't NAT whenever 192.168.123.0/24 talks to something in 192.168.33.0/24 1 - 3 are all masquerade rules. Masquerade means to nat the source IP address by changing the original source IP into the IP add...
by ZeroByte
Fri Sep 29, 2017 9:05 pm
Forum: Wireless Networking
Topic: Wireless Sector Capactiy Planning Question
Replies: 7
Views: 930

Re: Wireless Sector Capactiy Planning Question

I'm not planning for end-user WiFi here.

I'm looking for technical information here, not product delivery paradigms.
by ZeroByte
Fri Sep 29, 2017 5:27 pm
Forum: General
Topic: Simple queue PCQ uploads saturate connection
Replies: 11
Views: 2699

Re: Simple queue PCQ uploads saturate connection

The HTTP-BIG concept intrigues me. Thanks for posting this! One comment - I notice that you have a lot of rules duplicated in postrouting. I'm not quite sure why you've done this, and my guess would be so that connections to/from the router itself will also be marked properly? If that's the case, th...
by ZeroByte
Fri Sep 29, 2017 5:12 pm
Forum: General
Topic: How to select where the traffic goes out through. Router with several IP's on the same interface
Replies: 6
Views: 1164

Re: How to select where the traffic goes out through. Router with several IP's on the same interface

load the config in notepad and do a search/replace for your public IP stuff.... e.g. if your public IPs are all 192.0.2.x, then replace 192.0.2. with x.x.x. If you have multiple routing prefixes, then use a different prefix for each substitution but be consistent with each one. So if a second block ...
by ZeroByte
Fri Sep 29, 2017 5:07 pm
Forum: Beginner Basics
Topic: Multiple DNS server issues
Replies: 9
Views: 2103

Re: Multiple DNS server issues

One more "silly question:" you have verified that the server itself is able to resolve DNS queries, right? As in logged into the server itself, is it able to resolve all DNS queries locally?
by ZeroByte
Fri Sep 29, 2017 5:05 pm
Forum: Wireless Networking
Topic: Wireless Sector Capactiy Planning Question
Replies: 7
Views: 930

Re: Wireless Sector Capactiy Planning Question

I'm not looking to select gear for wireless shots - I'm just trying to (in)validate my thoughts as to the effect of bandwidth allocation on sector capacity.
I.e. - does giving a customer more upstream detract more from a sector than giving them the same amount of additional downstream would?
by ZeroByte
Fri Sep 29, 2017 8:17 am
Forum: General
Topic: Bridge Filters / Dynamic Interfaces
Replies: 3
Views: 642

Re: Bridge Filters / Dynamic Interfaces

I don't think so. You could probably achieve similar effects with scripts that trigger on events for ppp-type interfaces which have onup/ondown script triggers. I've seen nothing like that for WDS interfaces, etc. Granted that's not the same thing either, but it's probably the closest you'll get. I ...
by ZeroByte
Fri Sep 29, 2017 12:39 am
Forum: General
Topic: Bridge Filters / Dynamic Interfaces
Replies: 3
Views: 642

Re: Bridge Filters / Dynamic Interfaces

It would be much easier to just make the guest network be a separate IP network and filter forwarding between the two using an IP firewall rule or two. Basically, you'd make a second "LAN" bridge, called "guests" or something equally descriptive.... Make the guest APs connect back to that bridge ins...
by ZeroByte
Thu Sep 28, 2017 11:31 pm
Forum: Forwarding Protocols
Topic: OSPF Backbone area -> Another Area -> Multiple PPPoE servers
Replies: 26
Views: 3893

Re: OSPF Backbone area -> Another Area -> Multiple PPPoE servers

Thanks a lot ZeroByte, I will set inject-summary-lsas to no and one more thing for ospf interface network-type, what should it be ? Broadcast or default for where passive=yes Neither parameter matters on a passive interface, which pretty much only serves one function: to - to properly originate rou...
by ZeroByte
Thu Sep 28, 2017 9:03 pm
Forum: Forwarding Protocols
Topic: OSPF Multi-instance network.
Replies: 2
Views: 536

Re: OSPF Multi-instance network.

This is normal. Cisco does the same thing.
by ZeroByte
Thu Sep 28, 2017 8:20 pm
Forum: Forwarding Protocols
Topic: Subnetting public /22 with PPPoE and OSPF
Replies: 8
Views: 955

Re: Subnetting public /22 with PPPoE and OSPF

Amusing of course that that adjacent blocks hasn't been assigned to a different tower :) That's why I suggested a sparse allocation scheme when making the initial /29 assignments. e.g.: 10.0.0.0/29 = tower 1 10.0.2.0/29 = tower 2 10.0.1.0/29 = tower 3 10.0.3.0/29 = tower 4 10.0.0.128/29 = tower 5 e...
by ZeroByte
Thu Sep 28, 2017 7:57 pm
Forum: Forwarding Protocols
Topic: Subnetting public /22 with PPPoE and OSPF
Replies: 8
Views: 955

Re: Subnetting public /22 with PPPoE and OSPF

Well, if you want to use /29 as a base pool size and don't want to get painted into a corner because some tower is much more popular, then what you could do is allocate your initial /29 blocks sparsely and then simply increase to /28 at sites requiring it, then /27, etc. I'd also recommend that if y...
by ZeroByte
Thu Sep 28, 2017 7:51 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Or use link-local addressing for router-to-router links and /128 on loopback interfaces.
That'd clear it right up. ;)

I'm mostly kidding because I understand the drawbacks to using link-local-only addressing within non-trivial topologies.
by ZeroByte
Thu Sep 28, 2017 7:37 pm
Forum: General
Topic: [security] whith the enemy inside, port scan from inside
Replies: 3
Views: 544

Re: [security] whith the enemy inside, port scan from inside

Is this BYOD or a machine you control? If BYOD, then I'd suggest that you harden the layer 2 (peer isolation on wireless and in the switching) Then for the switch's security on the input chain, drop everything that's not: dhcp requests dns (if you're proxying DNS in the switch) icmp echo request (so...
by ZeroByte
Thu Sep 28, 2017 7:23 pm
Forum: Wireless Networking
Topic: Wireless Sector Capactiy Planning Question
Replies: 7
Views: 930

Wireless Sector Capactiy Planning Question

I'm pondering some things about how to consider the capacity of an 802.11n wireless multipoint access sector and would like some feedback from the other forum gurus on the subject. Suppose a sector runs 2x2 802.11n on a 20Mhz channel, and for the sake of simplicity, let's assume that all clients ach...
by ZeroByte
Thu Sep 28, 2017 5:37 pm
Forum: Beginner Basics
Topic: Multiple DNS server issues
Replies: 9
Views: 2103

Re: Multiple DNS server issues

You need to do some troubleshooting steps to gain some more information / zero in on the source of the issue. Are the LAN clients being configured to use the correct server, but the requests just aren't reaching it? If so, then SOMETHING must be redirecting the traffic. Period. End of story. If not,...
by ZeroByte
Thu Sep 28, 2017 4:53 pm
Forum: Forwarding Protocols
Topic: OSPF Backbone area -> Another Area -> Multiple PPPoE servers
Replies: 26
Views: 3893

Re: OSPF Backbone area -> Another Area -> Multiple PPPoE servers

inject-summary-lsas is only going to affect what prefixes are sent to peers inside the area, and since the area has no peers (all interfaces in it are passive) then it doesn't matter. This command dictates whether your internal OSPF topology prefixes should be sent into an area from the backbone are...
by ZeroByte
Thu Sep 28, 2017 4:41 pm
Forum: General
Topic: Simple queue PCQ uploads saturate connection
Replies: 11
Views: 2699

Re: Simple queue PCQ uploads saturate connection

Yeah - my terminology got a little bit crossed, but since you're using simple queues, they're parented to 'global' by default anyway, so I went and checked the packet flow diagram to make sure of something before making this reply. simple queues happen at the end of the input path and at the end of ...
by ZeroByte
Thu Sep 28, 2017 6:57 am
Forum: Beginner Basics
Topic: Can't get IPv6 double router config to work
Replies: 17
Views: 1722

Re: Can't get IPv6 double router config to work

Path MTU discovery issues are incredibly common because of ICMP paranoia. +1 to all the ICMP heroes out there! But... but clamp tcp mss is a thing, right? That will fix the mess I make when I block all ICMP right? Better to have to apply a workaround than to let my device be discovered by a ping sc...
by ZeroByte
Thu Sep 28, 2017 6:47 am
Forum: General
Topic: Simple queue PCQ uploads saturate connection
Replies: 11
Views: 2699

Re: Simple queue PCQ uploads saturate connection

I'd suspect that the problem is due to the fact that queue trees parented to the WAN interface will not see what they need to see in order to work as expected. Consider that the default setup for pcq-upload-default uses src-IP as the determining factor for creating/using the dynamic sub-queues. Okay...
by ZeroByte
Thu Sep 28, 2017 12:33 am
Forum: General
Topic: Internet configuration with CGNAT
Replies: 9
Views: 2510

Re: Internet configuration with CGNAT

It seems odd that an ISP would give you both a CGNat IP and a public IP directly at your router. (Seems to defeat the purpose of CGNat). Do you know if they are simply telling you what public IP is mapped to your CGNat IP, or if they're actually routing it to you? If they're routing it, then your ou...
by ZeroByte
Thu Sep 28, 2017 12:12 am
Forum: Beginner Basics
Topic: Router won't route LAN to WAN! Totally stumped [SOLVED]
Replies: 29
Views: 3989

Re: Router won't route LAN to WAN! Totally stumped [SOLVED]

The moral of the story is: before adding a device with a statically-configured IP address, first ping the proposed address and check the ARP cache. If you get no ARP replies, then the address is free (at the moment). I got burned by this once and the device was a laptop running every commercially-av...
by ZeroByte
Thu Sep 28, 2017 12:04 am
Forum: General
Topic: Simple queue PCQ uploads saturate connection
Replies: 11
Views: 2699

Re: Simple queue PCQ uploads saturate connection

You could try using queue trees on the WAN interface with a simple configuration that gives priority to TCP ACK's. Make a mangle table rule in the prerouting & output chains: 1: protocol=tcp | packet Size: 0-123 | tcp flags=ack | action=mark packet | new packet mark=tcpack | passthrough=no (importan...
by ZeroByte
Wed Sep 27, 2017 11:48 pm
Forum: Beginner Basics
Topic: Prioritize within PCQ
Replies: 1
Views: 379

Re: Prioritize within PCQ

To prioritize a protocol like DNS, then make a separate queue for that protocol (this queue need not necessarily be PCQ) - and note that the queue type doesn't matter on any queue which is not a leaf queue. I.e. the root queue doesn't pass tokens to the sub-queues using PCQ algorithms. You pretty mu...
by ZeroByte
Wed Sep 27, 2017 11:40 pm
Forum: Beginner Basics
Topic: Can't get IPv6 double router config to work
Replies: 17
Views: 1722

Re: Can't get IPv6 double router config to work

Blocking ICMP is so late-90's security tech anyway. Everyone needs to stop doing that. It breaks subtle things in ways most people don't realize, and it doesn't improve security by making your host "undetectable." Your host isn't undetectable by blocking ICMP anyway - if there's so much as one open ...
by ZeroByte
Wed Sep 27, 2017 6:59 pm
Forum: General
Topic: Masquerade traffic in forward chain
Replies: 3
Views: 610

Re: Masquerade traffic in forward chain

A couple of tips: It's not the input chain because there is no input/output/forward chain structure in the NAT table - there is only srcnat and dstnat. In the filter table, this would be forward because neither the source IP address in the packet nor the destination IP in the packet belongs to the r...
by ZeroByte
Wed Sep 27, 2017 6:29 pm
Forum: Beginner Basics
Topic: Router won't route LAN to WAN! Totally stumped [SOLVED]
Replies: 29
Views: 3989

Re: Router won't route LAN to WAN! Totally stumped [SOLVED]

No problem!

So it turned out to be essentially a form of ARP poisoning - caused by IP duplication. That's why good troubleshooting steps are essential. Start eliminating things until the problem follows one or the other test you make, helping you narrow down what it could/couldn't be.

Happy routing!
by ZeroByte
Wed Sep 27, 2017 7:44 am
Forum: Forwarding Protocols
Topic: Routing based on SOURCE IP or SOURCE interface?
Replies: 4
Views: 4078

Re: Routing based on SOURCE IP or SOURCE interface?

route rules are a simplified way to do policy routing, as opposed to the "mainstream" method of using action=mark-routing new-routing-mark=ISP2 on mangle table rules. Basically, the thing you want to do is make some route rules which list your local addresses (both LANs and both WANs) and set the ac...
by ZeroByte
Wed Sep 27, 2017 7:36 am
Forum: Forwarding Protocols
Topic: PIM Routing Not Working
Replies: 5
Views: 1661

Re: PIM Routing Not Working

Look in the status windows to see if the routers show your multicast group e.g. 226.94.10.1 Also - since you use two different groups with iperf - I assume that one or the other is the real group your system uses, and not 224.0.0.x (which is defined as local segment only - i.e. it doesn't pass throu...
by ZeroByte
Wed Sep 27, 2017 7:30 am
Forum: General
Topic: web server tcp help
Replies: 3
Views: 572

Re: web server tcp help

Make sure the firewall's filter rules aren't blocking traffic to your server. Add a rule: chain=forward protocol=tcp dst-ports=80,443 dst-address=192.168.x.x action=accept (use the inside IP / ports in your rule because filtering happens AFTER dstnat takes place) Make sure this rule comes early enou...
by ZeroByte
Wed Sep 27, 2017 7:27 am
Forum: General
Topic: Set IPv6 dhcp-client DUID
Replies: 3
Views: 1049

Re: Set IPv6 dhcp-client DUID

Ah - this makes sense (my guess about Comcast in the other thread appears to have been wrong). It's interesting to see how so many different ISPs do so many different things with their IPv6 rollouts. It's going to be nice a few years down the road once the industry settles into standards like it has...
by ZeroByte
Wed Sep 27, 2017 7:22 am
Forum: General
Topic: DHCPv6 DUID change - bug?
Replies: 11
Views: 2402

Re: DHCPv6 DUID change - bug?

Are you using Comcast? When you first set a prefix-hint on their service, a strange thing happens. Packet captures show that the primary server gives you the same /64 you already had, and the backup server gives a /60, but since it replies later than the primary, the Mikrotik router will have alread...
by ZeroByte
Wed Sep 27, 2017 7:08 am
Forum: Beginner Basics
Topic: Conigure RB2011UiAS-RM
Replies: 1
Views: 318

Re: Conigure RB2011UiAS-RM

In general, the default firewall for RouterOS works fine after a factory reset - but one issue that plagues newbies and leads to a lot of posts here is that the default firewall rules protect the default WAN interface (usually named ether1-gateway). This configuration assumes that ether1-gateway is ...
by ZeroByte
Wed Sep 27, 2017 1:57 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208035

Re: Feature requests

Selectable auth mechanisms for RADIUS-based AAA on system login. currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store. Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing ...
by ZeroByte
Wed Sep 27, 2017 12:23 am
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123693

Re: v6.41rc [release candidate] is released! New bridge implementation!

I just put 6.41rc32 onto an RB2011UAS-2HnD and have a question. The pre-upgrade configuration was with a bridge name=LAN with ports=ether2 and ether6, with those set as masters in the switch menu to ports ether3-5 and ether7-9 respectively. ether1, ether10, and sfp1 were all stand-alone interfaces. ...
by ZeroByte
Tue Sep 26, 2017 9:48 pm
Forum: General
Topic: Wrong IP distribution in DHCP server
Replies: 2
Views: 527

Re: Wrong IP distribution in DHCP server

With hotspot, you need to create a static binding in the hosts table.
by ZeroByte
Tue Sep 26, 2017 9:45 pm
Forum: Forwarding Protocols
Topic: MPLS Max Speed
Replies: 6
Views: 1392

Re: MPLS Max Speed

That I couldn't say since I've never put a CCR into any kind of core-level production.
I'd say that most of the line appears to be capable enough to handle 600Mbps without much problem, even with smaller packets such as RTP (VoIP).
by ZeroByte
Tue Sep 26, 2017 9:41 pm
Forum: Forwarding Protocols
Topic: OSPF vs BGP route of the same
Replies: 2
Views: 1118

Re: OSPF vs BGP route of the same

https://wiki.mikrotik.com/wiki/Manual:Route_Selection_Algorithm_in_RouterOS BGP routes come in two flavors: eBGP (peer has different ASN) and iBGP (peer has same ASN). EBGP has a default administrative distance of 20 OSPF has a default administrative distance of 110 IBGP has a default administrative...
by ZeroByte
Tue Sep 26, 2017 9:31 pm
Forum: Forwarding Protocols
Topic: MPLS Max Speed
Replies: 6
Views: 1392

Re: MPLS Max Speed

You should consider the CCR line and not the CRS which is basically a switch with some light layer3 capabilities. Because it runs ROS, it has access to the full feature set, but many threads on here deal with people having performance issues because they're asking too much of their CRS's routing fun...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14