Community discussions

Search found 279 matches

by tjc
Sat Oct 15, 2016 10:02 pm
Forum: Announcements
Topic: v6.37.1 [current] is released!
Replies: 144
Views: 38089

Re: v6.37.1 [current] is released!

Well THAT didn't go well... Upgraded a RB750G from v6.35.2 to v6.37.1 and: - CPU usage spiked after the update and remained high on a router that normally never goes above 5% CPU load - Firewall filter rules based on ConnTracking connection state lost that setting. Rather than connection-state=inval...
by tjc
Sun May 19, 2013 6:14 pm
Forum: Beginner Basics
Topic: Jump Action in Firewall filter (What is it?)
Replies: 4
Views: 4512

Re: Jump Action in Firewall filter (What is it?)

You can think of ICMP as a common subroutine. There are 4 chains in the example, the builtin chains input, output, and forward, and the custom chain ICMP. When one of the other chains gets an ICMP protocol packet it jumps to the chain called "ICMP". Note that this is just an arbitrary name, not anyt...
by tjc
Sat May 11, 2013 6:47 pm
Forum: Scripting
Topic: call a URL
Replies: 6
Views: 3454

Re: call a URL

And, unless they've fixed it recently, if the resolve fails the whole thing bombs.
:put [:ping [:resolve nosuchbeast.com] count=1]
That will give you an error ("failure: dns name does not exist") rather than a 1 or 0.
by tjc
Mon May 06, 2013 2:31 am
Forum: Scripting
Topic: Generation of "numbers"
Replies: 9
Views: 1951

Re: Generation of "numbers"

I generally find it easier to just upload scripts and execute them. Mikrotik is forever making minor changes that break scripts but the API seems to be worse. With scripts at least I only have to relearning one notation when something changes. ;-)
by tjc
Sun May 05, 2013 8:57 pm
Forum: Scripting
Topic: Generation of "numbers"
Replies: 9
Views: 1951

Re: Generation of "numbers"

IDs are generated for interactive console sessions. You can't depend on them outside of that. Use the "find" command in your script instead, that works reliably. A useful tip in certain cases is to put unique info in the comment field and then search based on that. http://wiki.mikrotik.com/wiki/Manu...
by tjc
Sun Apr 21, 2013 7:03 pm
Forum: Beginner Basics
Topic: [SOLVED] static DHCP not working
Replies: 13
Views: 16052

Re: [SOLVED] static DHCP not working

Duh-oh! Didn't even notice that he had both set. I've got a comment with the hostname where he's got the client-id so they looked similar at a glance. add address=192.168.1.104 comment=x2 disabled=no mac-address=00:17:31:12:34:77 server=default Versus: add address=10.1.1.6 client-id=xbmc mac-address...
by tjc
Sat Apr 20, 2013 7:46 pm
Forum: Beginner Basics
Topic: [SOLVED] static DHCP not working
Replies: 13
Views: 16052

Re: static DHCP not working

And no, I do not have ip pools set up to cover the static assignments. As I understand it, that would just dynamically assign one of those addresses to the clients, since you're then using the pool and not the 'static-only' pool setting. Am I correct? Certain items here would indicate otherwise: ht...
by tjc
Thu Apr 18, 2013 5:27 am
Forum: Beginner Basics
Topic: [SOLVED] static DHCP not working
Replies: 13
Views: 16052

Re: static DHCP not working

Do you have the ip pools set up to cover those assignments? Something like this... /ip pool add name=default-dhcp ranges=192.168.88.1-192.168.88.254 add name="trusted" ranges=10.1.1.2-10.1.1.254 add name="media pool" ranges=10.1.2.2-10.1.2.254 add name="yggdrasil-pool" ranges=10.1.3.2-10.1.3.254 add...
by tjc
Fri Feb 15, 2013 3:21 am
Forum: General
Topic: 5.23 mipsbe export problem
Replies: 7
Views: 1199

Re: 5.23 mipsbe export problem

Definitely seeing the same thing here. In both full and compact export that section is now missing.
by tjc
Sun Nov 18, 2012 8:51 pm
Forum: Beginner Basics
Topic: webfig not work
Replies: 7
Views: 7095

Re: webfig not work

Try this: /ip service export I'm guessing that you'll see something like this: [admin@MikroTik] > /ip service export # nov/18/2012 13:47:41 by RouterOS 5.17 # software id = 1BS6-EST0 # /ip service set telnet address=192.168.1.0/24 disabled=yes port=23 set ftp address=192.168.1.0/24 disabled=yes port...
by tjc
Wed Jul 11, 2012 7:17 am
Forum: General
Topic: Blocking bogus DHCP responses
Replies: 4
Views: 2903

Re: Blocking bogus DHCP responses

Well a trivial block on responses from 192.168.100.1 didn't seem to do the trick. The router still got the bogus 192.168.100.10 assignment on the most recently upstream connection failure. jul/10 23:36:12 interface,info ether1-gateway link down jul/10 23:36:15 interface,info ether1-gateway link up (...
by tjc
Sat Jul 07, 2012 6:05 am
Forum: General
Topic: Blocking bogus DHCP responses
Replies: 4
Views: 2903

Re: Blocking bogus DHCP responses

Yes, that should work. You should remove src-address, because you don't want any dhcp coming in on that interface from any address. Well actually I *do* want the response from the ISP via that port, since that's how the router gets it's public IP. (Cheesy ascii net diagram...) ISP cloud ----- cable...
by tjc
Fri Jul 06, 2012 6:49 am
Forum: General
Topic: Blocking bogus DHCP responses
Replies: 4
Views: 2903

Blocking bogus DHCP responses

I've been seeing sequences like this in my logs under 5.17: 23:02:24 interface,info ether1-gateway link down 23:02:27 interface,info ether1-gateway link up (speed 1000M, full duplex) 23:02:28 interface,info ether1-gateway link down 23:02:42 interface,info ether1-gateway link up (speed 1000M, full du...
by tjc
Wed Jul 04, 2012 7:08 pm
Forum: General
Topic: Logging firewall filter events without duplicating rules
Replies: 2
Views: 564

Re: Logging firewall filter events without duplicating rules

Yeah, custom chains are the filter rule equivalent of subroutines. Very useful when you want to do several actions based on multiple triggers. You can even return to the chain that you came from if the custom chain doesn't terminate (accept, reject, drop, tarpit) the packet. Just remember that every...
by tjc
Wed Jul 04, 2012 6:47 pm
Forum: Beginner Basics
Topic: How to deny/allow website by IP address in RB750 router?
Replies: 14
Views: 49104

Re: How to deny/allow website by IP address in RB750 router?

It sounds like piseth168 wants to filter by originating user as well as destination.

So the answer is half the solution needed, and just needs a src-address or src-address-list which covers the machines that you're interested in limiting.
by tjc
Sat Jun 16, 2012 4:40 am
Forum: RouterBOARD hardware
Topic: ARM based RouterBoard
Replies: 24
Views: 13488

Re: ARM based RouterBoard

Lets not discount the availability of the Atheros AR7100 SOC family which is "designed for home and enterprise WiFi access points, routers and gateways." There are a *lot* of routers built around their chips and a lot of Linux support for them.
by tjc
Sat Jun 16, 2012 4:22 am
Forum: RouterBOARD hardware
Topic: RB7XX series
Replies: 12
Views: 2126

Re: RB7XX series

/system routerboard settings print /system routerboard settings set cpu-frequency=... The webfig UI has a drop down with possible values. On the RB750G I've got handy it includes 400, 600, 680 and 800 along with several lower speeds. Check the web UI on yours to be sure what it will accept. Also be...
by tjc
Mon Jun 11, 2012 1:19 am
Forum: RouterBOARD hardware
Topic: RB7XX series
Replies: 12
Views: 2126

Re: RB7XX series

/system routerboard settings print /system routerboard settings set cpu-frequency=... The webfig UI has a drop down with possible values. On the RB750G I've got handy it includes 400, 600, 680 and 800 along with several lower speeds. Check the web UI on yours to be sure what it will accept. Also be...
by tjc
Sun Jun 10, 2012 5:42 pm
Forum: General
Topic: Can I load a script when I'm using NetInstall?
Replies: 2
Views: 560

Re: Can I load a script when I'm using NetInstall?

See: http://wiki.mikrotik.com/wiki/Netinstall The "Configure script" option lets you customize the script that is run when you reset the router to it's "default" configuration. This page has information on the standard ones for each router model/family, including how to get the standard one from the...
by tjc
Sun Jun 10, 2012 5:28 pm
Forum: General
Topic: How can i verify ros before reboot?
Replies: 12
Views: 2360

Re: How can i verify ros before reboot?

It's probably more than just some hash verification. a lot of firmwares are signed with the manufactures master code. Digital signatures either involve encrypting the whole file, or more commonly using a hash which is then encrypted. See the History section here: http://en.wikipedia.org/wiki/Digita...
by tjc
Sun Jun 10, 2012 12:59 am
Forum: Beginner Basics
Topic: IT Project
Replies: 5
Views: 1203

Re: IT Project

+1 - Writing up a good guide on securing an IPV6 router, setting up firewalls, and other security implications of IPV6 would be enormously valuable.
by tjc
Sun Jun 10, 2012 12:52 am
Forum: Beginner Basics
Topic: Telnet is not working
Replies: 7
Views: 1462

Re: Telnet is not working

Normally no. The whole purpose of a switch it to forward traffic based on MAC/IP of the devices on it's various ports. A smart/managed switch can often be configured to drop certain traffic but a common unmanaged switch just forwards packets based on address and who is connected where. That said, gi...
by tjc
Sat Jun 09, 2012 7:58 pm
Forum: General
Topic: Help on accessing rb450g from internet
Replies: 5
Views: 1183

Re: Help on accessing rb450g from internet

BTW - If you're going to do this I strongly recommend using some kind of whitelist for access control, and preferably an encrypted connection.
by tjc
Sat Jun 09, 2012 7:54 pm
Forum: General
Topic: How can i verify ros before reboot?
Replies: 12
Views: 2360

Re: How can i verify ros before reboot?

Seriously, give the Microtik guys some credit. They're not stupid. How exactly do you think they're checking that the packages "are not damaged" other than by using some kind of strong hash code (MD5, SHA, ...)? Unless you've tested and proven this yourself claiming that they're "not check with md5s...
by tjc
Sat Jun 09, 2012 7:29 pm
Forum: Beginner Basics
Topic: DNS redirect
Replies: 8
Views: 2812

Re: DNS redirect

Those rules force all DNS requests to use the routers DNS server. The rules read: for any any specified destination address with destination port 53 (DNS) either TCP or UDP redirect the request to 192.168.88.1 port 53 (DNS) Since 192.168.88.1 is the routers default internal LAN address (vs. the exte...
by tjc
Tue Jun 05, 2012 6:09 am
Forum: General
Topic: How can i verify ros before reboot?
Replies: 12
Views: 2360

Re: How can i verify ros before reboot?

Yes, i know, but what if md5sum is wrong? I reboot router and then?
Presumably it reboots without doing the upgrade.
by tjc
Tue Jun 05, 2012 5:55 am
Forum: RouterBOARD hardware
Topic: RB450G - l2 mtu
Replies: 2
Views: 912

Re: RB450G - l2 mtu

Happened with the 5.7 release, questions were asked at that time and what answers there were seemed to indicate that it was to work around some kind of hardware problem vague recollection says it was related to the switch chips since it varies with which hardware uses which chips. http://forum.mikro...
by tjc
Sat Jun 02, 2012 8:52 pm
Forum: Beginner Basics
Topic: Just install MicroTik RB750 - Static IP via DHCP
Replies: 4
Views: 1114

Re: Just install MicroTik RB750 - Static IP via DHCP

Essentially you want to add a second address to the "external" WAN interface? /ip address add address=xxx.xxx.xxx.222/24 comment="Secondary address for WAN interface" \ interface=ether1-gateway network=xxx.xxx.xxx.0 The /24 and network addresses are a S.W.A.G. so adjust as needed to match the primar...
by tjc
Fri May 25, 2012 4:31 am
Forum: General
Topic: input chain doesn't work in filter rule
Replies: 9
Views: 1105

Re: input chain doesn't work in filter rule

Input chain - traffic from another system aimed specifically at the router itself Output chain - traffic orginating at the router sent to some other system. Forward chain - traffic to/from a system behind the router (through the router) See: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Ch...
by tjc
Fri May 25, 2012 4:12 am
Forum: Beginner Basics
Topic: No External FTP Access - RB750
Replies: 15
Views: 4173

Re: No External FTP Access - RB750

Does your firewall configuration allow "related" connections? FTP is funky in that it uses two ports and needs the related connections enabled, particulary in active mode where the remote host has to open a socket back to the client. For starters try having your FTP client connect using passive mode...
by tjc
Thu May 24, 2012 6:27 am
Forum: Wireless Networking
Topic: Export all the configuration as the script...
Replies: 3
Views: 3898

Re: Export all the configuration as the script...

:export file=mybackup
For any version more recent than 5.12 use "export compact".
/
export compact file=mybackup
That should give you just the settings that have been changed from the default values, which makes things easier if you need to do any editing.
by tjc
Thu May 24, 2012 5:41 am
Forum: RouterBOARD hardware
Topic: RESET BUTTON ON RB 750
Replies: 14
Views: 113677

Re: RESET BUTTON ON RB 750

Most current RB devices have reset pads intended to be bridged with a screw driver or other metal tool. So even if you break the reset switch there is still a reset option. For example on the RB750, RB750G, and RB750GL the pads are accessible via an opening under one of the stick on silicon feet. ht...
by tjc
Sun May 20, 2012 4:48 pm
Forum: Beginner Basics
Topic: Port forwarding router os 5.15 rb750
Replies: 9
Views: 4025

Re: Port forwarding router os 5.15 rb750

What do your firewall rules look like? Do this from a console session on the router and post the results.
/ip firewall export
by tjc
Thu May 17, 2012 2:54 am
Forum: General
Topic: Export compact (new in v5.12)
Replies: 76
Views: 35248

Re: Export compact (new in v5.12)

There have definitely been fixes in this area since 5.12. Based on comparing compact exports from 5.12 and 5.16 they seem to have fixed the problems with 0.0.0.0, script policies, logging, nieghbor discovery, ... So far 5.16 is looking like a very solid release.
by tjc
Sat May 12, 2012 5:12 am
Forum: General
Topic: RB750 hardware reliability
Replies: 10
Views: 2684

Re: RB750 hardware reliability

Replacing the bad capacitors should bring the router back to life. It's a bother, and depending on your labor costs may not be worthwhile, but there are several threads in the forums about the specs for replacement caps and how to do it.
by tjc
Sat Apr 14, 2012 9:15 pm
Forum: Beginner Basics
Topic: Backup of RB750
Replies: 2
Views: 1379

Re: Backup of RB750

Use export, and if the RB750 is running RouterOS 5.12 or later, export compact. The binary backup format is only designed to be restored on the same router. Even with the same model you may find some issues with MAC addresses and the like.
by tjc
Sat Apr 14, 2012 9:11 pm
Forum: Beginner Basics
Topic: Simplest way to clone an RB750?
Replies: 12
Views: 3573

Re: Simplest way to clone an RB750?

BTW - that won't work without some editing of the export file, since the export format for many items conflicted with the default configuration.

The upgrade compact enhancement is at least partially to fix that problem.
by tjc
Mon Apr 02, 2012 4:23 am
Forum: Beginner Basics
Topic: Firewall Jump Question
Replies: 6
Views: 7868

Re: Firewall Jump Question

Lets assume that your WAN interfaces are named "WAN1" and "WAN2" and that your firewall chain is called "workstations", the jump rules become: add action=jump chain=forward comment=\ "Anything else from outside goes to the workstations chain" \ in-interface=WAN1 jump-target=workstations add action=j...
by tjc
Mon Apr 02, 2012 4:10 am
Forum: Beginner Basics
Topic: White List FTP Access
Replies: 18
Views: 3155

Re: White List FTP Access

OK, right here you are accepting incoming connections to the http, ftp and rdp ports. Once you accept the traffic, it's accepted, and you can't really filter it further. add action=accept chain=forward comment="" disabled=no dst-address=192.168.88.250 dst-port=80,22610 in-interface=\ ether1-gateway ...
by tjc
Mon Apr 02, 2012 3:26 am
Forum: General
Topic: block rogue dhcp traffic
Replies: 18
Views: 22240

Re: block rogue dhcp traffic

in the meantime i've gone and created the following by hand. please advise if its correct: 2 ;;; rogue dhcp server chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90 That only blocks traffic to the router itself, not through it (for that you want the forward chain), and as reverged poiints o...
by tjc
Mon Apr 02, 2012 3:07 am
Forum: Beginner Basics
Topic: Firewall Jump Question
Replies: 6
Views: 7868

Re: Firewall Jump Question

An example is often worth a thousand words of explaination. Here is an example jump rule: add action=jump chain=forward comment=\ "Anything else from outside goes to the customer chain" disabled=no \ in-interface=ether1-gateway jump-target=customer Aside from the comment, this is more less from the ...
by tjc
Mon Apr 02, 2012 2:53 am
Forum: Beginner Basics
Topic: Blocking sites
Replies: 4
Views: 976

Re: Blocking sites

is that an actual IP address or an interface description like <ether-1 gateway>? Would make sense for it to be <ether-1 gateway> because the IP of the WAN port can dynamically change. Yes, it's the interface name (e.g. "ether1-gateway") as you guessed. Given that most SOHO routers get the IP addres...
by tjc
Sat Mar 31, 2012 7:32 pm
Forum: Beginner Basics
Topic: White List FTP Access
Replies: 18
Views: 3155

Re: White List FTP Access

Firewall filter rules are executed in order, you may need to move that rule higher in the list, so it catches the ftp traffic before it is accepted by some other rule. Also, depending on where the ftp server is (the router itself or some machine behind it) you may need to put that rule in the forwar...
by tjc
Sat Mar 31, 2012 7:14 pm
Forum: General
Topic: block rogue dhcp traffic
Replies: 18
Views: 22240

Re: block rogue dhcp traffic

There's actually an option in the RouterOS DHCP server to detect rougue DHCP servers and raise an alert and/or run a script. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Alerts At that point you can do all sorts of interesting things, like adding the offending IP/MAC to a blacklist, or redire...
by tjc
Sat Mar 31, 2012 6:57 pm
Forum: Beginner Basics
Topic: Can't connect to the internet
Replies: 6
Views: 4255

Re: Can't connect to the internet

Does your ISP expect the old MAC address? You may either need to clone it or contact them with the new value.
by tjc
Sun Mar 25, 2012 5:37 am
Forum: General
Topic: Filter rules - Router and Customer Protection
Replies: 2
Views: 718

Re: Filter rules - Router and Costumer Protection

Doesn't matter, IIRC TCP is the default. From: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter protocol (name or protocol ID; Default: tcp) Heck, in compact export mode it even leaves off the action on filter rules if it's accept (which is also the default). That's far more disconcerting to ...
by tjc
Sat Mar 24, 2012 5:37 pm
Forum: General
Topic: Firewall - block traffic between subnets
Replies: 10
Views: 18990

Re: Firewall - block traffic between subnets

If they are on different physical ports, which is generally a good idea for separate nets or subnets, you can drop traffic between any two interfaces that you want to isolate from each other. This may be more compact than using address lists. For example: add action=drop chain=forward in-interface=e...
by tjc
Sat Mar 24, 2012 5:26 pm
Forum: RouterBOARD hardware
Topic: 751G quickset network connection
Replies: 5
Views: 1238

Re: 751G quickset network connection

From the CLI:
/interface ethernet
set 0 mac-address=00:00:00:00:00:00
Replace 00:00:00:00:00:00 with the desired MAC address you want use.
by tjc
Sat Mar 10, 2012 7:01 am
Forum: Beginner Basics
Topic: having trouble setting up a 750G as home firewall
Replies: 6
Views: 985

Re: having trouble setting up a 750G as home firewall

This one is worthwhile for getting started, it talks about a really old version of RouterOS but is otherwise pretty up to date:
http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router

For a deep dive the one that fewi did is good:
http://wiki.mikrotik.com/wiki/How_to_co ... ome_router
by tjc
Sun Mar 04, 2012 8:08 pm
Forum: General
Topic: Remote Access DSL Router
Replies: 2
Views: 459

Re: Remote Access DSL Router

Check/post your firewall filter rules to make sure that they allow incoming traffic to that port. You didn't say what model you're using, but many of them have a default filter rule that blocks new connections from being establish from the WAN. The other thing to check is that the addresses specifie...
by tjc
Thu Feb 23, 2012 4:10 am
Forum: Beginner Basics
Topic: Can I lease an IP address for an user?
Replies: 5
Views: 2162

Re: Can I lease an IP address for an user?

For PPPoE you may need to do this via the user profile. See this page: http://wiki.mikrotik.com/wiki/PPP_AAA#User_Profiles You probably need to set the remote-address there to the desired IP of 10.0.0.100. While DHCP and PPPoE can use the same address pool, they're different mechanisms for getting t...
by tjc
Thu Feb 23, 2012 3:32 am
Forum: RouterBOARD hardware
Topic: RB750GL USB
Replies: 4
Views: 3177

Re: RB750GL USB

There have been a couple questions like this recently. For example someone noticed that the current RB750 has a place for it on the PCB but it's unpopulated: http://forum.mikrotik.com/viewtopic.php?f=3&t=59452 The RB750GL also has the same unpopulated USB pads on it's PCB, see the picture here: http...
by tjc
Sat Feb 18, 2012 7:54 pm
Forum: Beginner Basics
Topic: Can I lease an IP address for an user?
Replies: 5
Views: 2162

Re: Can I lease an IP address for an user?

You're trying to do a static DHCP lease (LAN IP assignment) for a particualr user? You can do this one of two ways, either by MAC address, or by User Id. For User ID your DHCP client has to include that option (DHCP option 61) in it's request. For either you must add a static lease definition which ...
by tjc
Sun Feb 12, 2012 9:04 pm
Forum: Wireless Networking
Topic: How Do You Make SNTP server and client actually work?
Replies: 5
Views: 10117

Re: How Do You Make SNTP server and client actually work?

Have you done this and do you have it actively working in v5.12?
Yeah, works like a champ. All the machines on the LAN get their time via the NTP server on the router, and are right in sync.
by tjc
Sun Feb 12, 2012 8:46 pm
Forum: Beginner Basics
Topic: RouterOS upgrade
Replies: 3
Views: 2208

Re: RouterOS upgrade

Note that the combined package doesn't include everything, but you can supplement it with anything it doesn't contain. For example upload the combined package (routeros-mipsbe-5.12.npk) and the NTP package (ntp-5.12-mipsbe.npk) if you want to run an NTP server. This wiki page has details of what is ...
by tjc
Sat Feb 11, 2012 4:38 am
Forum: Wireless Networking
Topic: How Do You Make SNTP server and client actually work?
Replies: 5
Views: 10117

Re: How Do You Make SNTP server and client actually work?

Are you tying to use the router as an NTP server? You can't do that with SNTP, it's client only. You need to install and enable the NTP package for your RouterOS version then configure it. For example: /system ntp client set enabled=yes mode=unicast primary-ntp=65.182.224.60 secondary-ntp=216.129.11...
by tjc
Fri Feb 10, 2012 3:47 am
Forum: Beginner Basics
Topic: RB750GL Security
Replies: 5
Views: 1012

Re: RB750GL Security

Are you trying to keep people on the WAN from pinging machines on your LAN and getting a response? Or trying to keep people on your LAN from pinging machines on the WAN? Presuming that you're trying to stop WAN -> LAN the normal firewall rules (have you enabled the firewall?) in the forward chain sh...
by tjc
Thu Feb 09, 2012 3:58 am
Forum: General
Topic: Looking for solution to redirect DNS's server
Replies: 11
Views: 5717

Re: Looking for solution to redirect DNS's server

It's more common to just redirect all DNS requests to the router itself.
# Send all DNS requests to the router
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 action=redirect
add chain=dstnat protocol=tcp dst-port=53 action=redirect
by tjc
Thu Feb 09, 2012 3:53 am
Forum: General
Topic: Interface Isolation RB450? need help
Replies: 12
Views: 2816

Re: Interface Isolation RB450? need help

RB750 and RB450 are close enough for these purposes. On the other hand you never answered my questions about the configuration.

1) Did you check interfaces as suggested?
2) Are all 5 ports set to "master-port=none"?
by tjc
Wed Feb 08, 2012 4:30 am
Forum: General
Topic: Interface Isolation RB450? need help
Replies: 12
Views: 2816

Re: Interface Isolation RB450? need help

and eth1,2,3,4,5 is Switch, under the Switch menu I have no idea what you are trying to say here, and suspect that no one else does either. You need to be clearer and more specific about what you are seeing. Posting output from the router CLI is very helpful. Try doing this: /interface ethernet exp...
by tjc
Tue Feb 07, 2012 3:19 am
Forum: Beginner Basics
Topic: Ethernet Interface Numbering
Replies: 4
Views: 689

Re: Ethernet Interface Numbering

In an export they're numbered 0 through whatever. AFAICT these are the real hardware port numbers.
by tjc
Sat Feb 04, 2012 9:19 pm
Forum: Beginner Basics
Topic: BUG v5.12 : firewall - not all params visibile from terminal
Replies: 12
Views: 2330

Re: BUG v5.12 : firewall - not all params visibile from term

See their disclaimer from the top of the front page - "Notice: For support from Mikrotik staff, write to support@mikrotik.com - Mikrotik does not generally offer support on the forum, this is a user forum" Also see - http://www.mikrotik.com/support.html I've always been a bit surprised that they don...
by tjc
Sat Feb 04, 2012 9:06 pm
Forum: Beginner Basics
Topic: BUG v5.12 : firewall - not all params visibile from terminal
Replies: 12
Views: 2330

Re: BUG v5.12 : firewall - not all params visibile from term

Yeah, sorry, my brain was only half working, export never includes dynamic stuff. The print thing sounds like a bug you should report to MikroTik support.
by tjc
Sat Feb 04, 2012 6:12 am
Forum: General
Topic: multiple dns using mac-address reservation
Replies: 12
Views: 2138

Re: multiple dns using mac-address reservation

With all that said, will what you suggest work in this situation? Wouldn't the phones have the same problem if the internet goes down? Sure why not? Let's draw a simplified network diagram: clients --- subnet routers --- external router The subnet router here controls the clients view of the world....
by tjc
Fri Feb 03, 2012 4:49 am
Forum: General
Topic: multiple dns using mac-address reservation
Replies: 12
Views: 2138

Re: multiple dns using mac-address reservation

Why not point everything at the router as your primary DNS and let the router cache/proxy the requests from there? This makes the DHCP server tell it's clients that the router is their primary (and only) DNS and NTP server. /ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 ga...
by tjc
Thu Feb 02, 2012 8:14 am
Forum: General
Topic: Interface Isolation RB450? need help
Replies: 12
Views: 2816

Re: Interface Isolation RB450? need help

Hi, I don't understand this part, I've done a couple of firewall rules before, ...but it was only to block certain IP ranges from another. You can write rules based on input or output interface, so for example: add action=accept chain=forward in-interface=ether1 comment="ether1 gets forwarded to 2-...
by tjc
Wed Feb 01, 2012 6:55 am
Forum: General
Topic: Interface Isolation RB450? need help
Replies: 12
Views: 2816

Re: Interface Isolation RB450? need help

Default configuration is for ports 2-5 to be in a switch group with 2 as the master and 3-5 as the slaves. To isolate them from each other remove those ports from the switch group and setup firewall rules that block traffic from each input to anything but the uplink in the forward chain and to the r...
by tjc
Tue Jan 31, 2012 7:54 am
Forum: RouterBOARD hardware
Topic: RB750 - IP change
Replies: 5
Views: 3615

Re: RB750 - IP change

This router can change the ip into 192.168.87.x/ 22 ? There is a basic conflict there. 192.168.87.0 isn't on a 22 bit boundary. 0xC0A85700 & 0xFFFFFC00 == 0xC0A85400 -> 192.168.84.0 With a /22 mask your sub networks in that range are; ..., 192.168.84.0, 192.168.88.0, 192.168.92.0, ... With a /21 ma...
by tjc
Tue Jan 31, 2012 7:24 am
Forum: Beginner Basics
Topic: how to access/ping the host on LAN by hostname instead of ip
Replies: 10
Views: 6327

Re: how to access/ping the host on LAN by hostname instead o

Do the names show up if you list the static DNS entries and the cached entries?
/ip dns static print
/ip dns cache print
If you use nslookup and specify the name server as your router does it resolve the names?
nslookup YOUR_HOSTNAME_HERE YOUR_ROUTER_IP_HERE
by tjc
Tue Jan 31, 2012 6:57 am
Forum: General
Topic: Export compact (new in v5.12)
Replies: 76
Views: 35248

Re: Export compact (new in v5.12)

This is not a problem, it's a feature. Since v5.12 a lot of new "default" settings have been added, and what you described as a problem, will actually work in all routers, even with no config. So the claim is no more editing the exported configuration to be able to restore using it? That would be p...
by tjc
Mon Jan 30, 2012 2:47 am
Forum: Beginner Basics
Topic: how to access/ping the host on LAN by hostname instead of ip
Replies: 10
Views: 6327

Re: how to access/ping the host on LAN by hostname instead o

First you need to make sure the machines on your LAN use your router as their primary DNS. Then, for anything with a static address: /ip dns static add address=192.168.1.10 name=server1 For machines that get their address via DHCP you would need to write a script that scans through your DHCP leases ...
by tjc
Sun Jan 29, 2012 5:39 pm
Forum: General
Topic: RB750 winbox problem
Replies: 2
Views: 1867

Re: RB750 winbox problem

Have you tried soft/hard reseting it?
by tjc
Sun Jan 29, 2012 5:37 pm
Forum: Beginner Basics
Topic: Forcing Users to use your DHCP Only but not the Servers
Replies: 6
Views: 891

Re: Forcing Users to use your DHCP Only but not the Servers

:oops: Yeah, I meant DHCP not DNS. Corrected above.

That's what happens when you post too early in the morning before the caffeine kicks in... All those D words look the same when your eyes are still bleary.
by tjc
Sun Jan 29, 2012 5:31 pm
Forum: General
Topic: Export compact (new in v5.12)
Replies: 76
Views: 35248

Re: Export compact (new in v5.12)

With the export changes in 5.12 a lot of the exported items in both compact and normal mode were converted to a form that works better with existing settings (e.g. using "set [ find default=yes ]" rather than "add"), however, there are still a lot that use add in ways that might conflict with a defa...
by tjc
Sun Jan 29, 2012 4:48 pm
Forum: Beginner Basics
Topic: Forcing Users to use your DHCP Only but not the Servers
Replies: 6
Views: 891

Re: Forcing Users to use your DHCP Only but not the Servers

Alternately you can do static DHCP assignments for the servers (by client-id or mac-address) and make the servers use DHCP too.

(corrected a thinko DNS vs. DHCP)
by tjc
Sat Jan 28, 2012 3:30 am
Forum: RouterBOARD hardware
Topic: RB750 - IP change
Replies: 5
Views: 3615

Re: RB750 - IP change

Doing a full export is your best bet. Looking at an old export that I had saved these are the places that mention 192.168.88.*: /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /ip address add address=192.168.88.1/24 broadcast=192.168.88.255 comment=\ "default configuration" disabl...
by tjc
Wed Jan 25, 2012 4:51 am
Forum: General
Topic: Export compact (new in v5.12)
Replies: 76
Views: 35248

Re: Export compact (new in v5.12)

Compact export of firewall address lists produces funky results. This: /ip firewall address-list add address=0.0.0.0/8 comment=bogons disabled=no list=blacklist add address=10.0.0.0/8 comment=bogons disabled=no list=blacklist add address=127.0.0.0/8 comment=bogons disabled=no list=blacklist add addr...
by tjc
Wed Jan 25, 2012 4:48 am
Forum: Beginner Basics
Topic: Restrict computer access to my local web server ...
Replies: 7
Views: 1817

Re: Restrict computer access to my local web server ...

I don't see an address list called "IPs_ALLOW" in that export. It should looks something like this: /ip firewall address-list add address=192.168.88.33 comment="John Yaya - Yoyodyne Propulsion Systems" disabled=no list=IPs_ALLOW add address=192.168.88.45 comment="John BigBoote - Yoyodyne Propulsion ...
by tjc
Wed Jan 25, 2012 4:18 am
Forum: General
Topic: v5.12 released
Replies: 144
Views: 25186

Re: v5.12 released

Any chance of being able to limit shares to users ?
You already can, there are settings for:
1) allowing guest users or not (/ip smb)
2) limiting access to certain interfaces (/ip smb)
3) adding a list of allowed users (/ip smb users)
4) designating where the storage is (/ip smb shares)
by tjc
Sun Jan 22, 2012 9:13 pm
Forum: General
Topic: Why bother having SMB server?
Replies: 19
Views: 3184

Re: Why bother having SMB server?

dressed up like a pig at the county fair. Is this the joke where two guys steal the prize pig at the county fair, dress it up in some woman's clothes, and after the policemen/guards let them pass, one of the cops says to the other(s) "what is a nice xxx girl doing with a couple yyy guys like that?"...
by tjc
Sun Jan 22, 2012 8:50 pm
Forum: General
Topic: [Solved] Problem, not open, Gmail, youtube, Facebook
Replies: 16
Views: 6703

Re: Problem, not open, Gmail, youtube, Facebook

Is something holding open connections and hitting the limit of 600?
by tjc
Sun Jan 22, 2012 5:38 pm
Forum: General
Topic: [Solved] Problem, not open, Gmail, youtube, Facebook
Replies: 16
Views: 6703

Re: Problem, not open, Gmail, youtube, Facebook

Just a quick note for now, If email continues to work and the web has problems after half an hour then your proxy server is the place to look.
by tjc
Sun Jan 22, 2012 5:29 pm
Forum: Beginner Basics
Topic: Firewall - Block RDP access to server EXCEPT form a single I
Replies: 6
Views: 4286

Re: Firewall - Block RDP access to server EXCEPT form a sing

You need two rules. The first one does an accept and allows only the permitted IP to access the RDP port, the second one does a drop for anything else going to the RDP port. Struggling to find a single rule to do something usually means that you need two or more, and sometimes even a side chain to s...
by tjc
Sun Jan 22, 2012 3:35 am
Forum: General
Topic: v5.12 released
Replies: 144
Views: 25186

Re: v5.12 released

Do I still have to reboot the machine for this change to be effective or is it now automatic?
You still need to reboot, there's actually a popup that says this, if you haven't already checked the "never show this alert again" check box on it.
by tjc
Sun Jan 22, 2012 1:01 am
Forum: General
Topic: v5.12 released
Replies: 144
Views: 25186

Re: v5.12 released

Random changes and other odd stuff that I've noticed in 5.12 (some of these maybe from 5.10 or 5.11): - The SMB service - Lots of export enhancements and changes, including things like ordering changes ("/snmp" and "/system routerboard settings"), and things which no longer export ("/user group" pol...
by tjc
Sun Jan 22, 2012 12:13 am
Forum: General
Topic: [Solved] Problem, not open, Gmail, youtube, Facebook
Replies: 16
Views: 6703

Re: Problem, not open, Gmail, youtube, Facebook

After cleaning up and reorganizing your firewall rules a couple things jumped out at me. Comments in-line below. /ip firewall filter add chain=input action=accept connection-state=established add chain=input action=accept connection-state=related # # What about dropping invalid connections on the in...
by tjc
Sat Jan 21, 2012 6:55 pm
Forum: Wireless Networking
Topic: 12dB Signal decrease because of snow?
Replies: 5
Views: 1052

Re: 12dB Signal decrease because of snow?

If you think about it, weather radar works by getting reflections from rain and snow. The heavier it is the more reflection and absorption there is. So you have to expect some signal loss from precipitation. Also as rodolfo points out, unlike rain, snow accumulates, on your antennas, on the trees th...
by tjc
Sat Jan 21, 2012 6:53 am
Forum: General
Topic: mac address filtering
Replies: 1
Views: 994

Re: mac address filtering

Smart enough to spoof the IP address may also be smart enough to spoof the MAC address. Some people are just annoyingly clever that way. Your best bet is to approach it the other way around. Configure the firewall filtering on router at your end, to only allow connections originating from your locat...
by tjc
Sat Jan 21, 2012 6:08 am
Forum: Beginner Basics
Topic: First time setup -- DHCP not working
Replies: 1
Views: 642

Re: First time setup -- DHCP not working

Is the upstream gear configured to only talk to the specific MAC address of the old router? I ran into this swapping out an old LinkSys router (which was already spoofing the address of an even earlier D-Link device) and it's pretty common practice for ISPs. Typically you either have to call the ISP...
by tjc
Sat Jan 21, 2012 5:54 am
Forum: Scripting
Topic: Works in Terminal but not in Script
Replies: 1
Views: 552

Re: Works in Terminal but not in Script

You can only use the index numbers in the console, as they're generate dynamically and linked to your console session. Rather than using 0 there use a [find] to get the appropriate item to be updated.
by tjc
Thu Jan 19, 2012 5:20 am
Forum: Beginner Basics
Topic: Access ether2 from ether1 and reverse
Replies: 4
Views: 885

Re: Access ether2 from ether1 and reverse

The default configuration for a RB750G is that the ether1 is the WAN port and 2-5 are the LAN ports. Protecting the LAN from the WAN is it's job. It also want to get it's address and other setup via DHCP from the upstream provider, so AFAIK it doesn't default to anything route-able. If you're connec...
by tjc
Tue Jan 17, 2012 2:59 am
Forum: Beginner Basics
Topic: need help whit wan and winbox
Replies: 5
Views: 1656

Re: need help whit wan and winbox

Note that the rule Girith provided above needs to be before this line in your existing filter rules: add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway There are a couple ways to do this; 1) Use the place-before option to add 2) Use the move command f...
by tjc
Tue Jan 17, 2012 2:45 am
Forum: Beginner Basics
Topic: Access ether2 from ether1 and reverse
Replies: 4
Views: 885

Re: Access ether2 from ether1 and reverse

What type of device, and are you using the default configuration? Have you tried using ports 2 and 3?
by tjc
Sun Jan 15, 2012 10:40 pm
Forum: General
Topic: [Solved] Problem, not open, Gmail, youtube, Facebook
Replies: 16
Views: 6703

Re: Problem, not open, Gmail, youtube, Facebook

Firewall rules would generally block something completely. There would be no "slow" or "sometimes". As a result it seems like you should be looking elsewhere for the problem.
by tjc
Sun Jan 15, 2012 7:50 pm
Forum: RouterBOARD hardware
Topic: switch chip
Replies: 3
Views: 2434

Re: switch chip

The Atheros AR7242 listed in the PDF is the CPU not the switch chip. If you look at the board picture in the User Guide here http://routerboard.com/pdf/355/rb750gl-ug.pdf you can see both chips, with the AR8327 being the one closer to the ports.
by tjc
Sun Jan 15, 2012 7:36 pm
Forum: General
Topic: [Solved] Problem, not open, Gmail, youtube, Facebook
Replies: 16
Views: 6703

Re: Problen, not open, Gmail, youtube, Facebook

My first guess would be DNS. How is DNS configured for the router and machines behind it? Are you using the router as your local DNS server? Are you having any resolution problems with the upstream DNS servers? The next thing would be to look at packet loss within your LAN. A relatively small % of l...
by tjc
Sat Jan 14, 2012 9:02 pm
Forum: RouterBOARD hardware
Topic: How to Filter specific IP using RB450G
Replies: 3
Views: 1358

Re: How to Filter specific IP using RB450G

For reference start with the manual page on the wiki: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter You will need to enable the firewall and add some filtering rules. Do you want to filter by source address or destination address? To be more specific, are you trying to deny web browsing ac...
by tjc
Sat Jan 14, 2012 8:38 pm
Forum: General
Topic: Add src to address list question
Replies: 2
Views: 756

Re: Add src to address list question

It goes to the next rule in the current chain.

IIRC the final actions are "accept", "reject", "drop", and "tarpit". All the rest continue processing ("jump" and "return" continue in the destination chain). The ip/firewall/filter wiki page is out of date on this count.
by tjc
Fri Jan 13, 2012 4:19 am
Forum: Beginner Basics
Topic: how to use multipale bandwidth ?
Replies: 4
Views: 1011

Re: how to use multipale bandwidth ?

The LAN side of a DSL modem _is_ an ethernet feed. Connecting two ethernet WAN feeds, through one router, to combine bandwidth, is bonding. Now as fewi points out in another thread, bonding two dissimilar feeds can actually end up reducing the effective bandwidth below just one feed, due to out of o...
by tjc
Fri Jan 13, 2012 4:03 am
Forum: General
Topic: Feature request: Parameters for scripts
Replies: 2
Views: 828

Re: Feature request: Parameters for scripts

+1 This is one of the biggest limitations with the current script model, everything has to be passed through globals which is just crazy.
by tjc
Thu Jan 12, 2012 4:04 am
Forum: Beginner Basics
Topic: how to use multipale bandwidth ?
Replies: 4
Views: 1011

Re: how to use multipale bandwidth ?

Yes. The search term you need is "bonding" . For example: http://wiki.mikrotik.com/wiki/Bonding
by tjc
Sat Jan 07, 2012 8:00 pm
Forum: General
Topic: graphs deleted after reboot on v.5.0 / slow NTP sync
Replies: 52
Views: 15009

Re: graphs deleted after reboot on v.5.0 / slow NTP sync

Do this: /tool graphing export Check the top level " store-every= " value. Typically 5 minutes or 1 hour. For each graphing category check for " store-on-disk=yes " For example: [admin@MikroTik] /tool graphing> /tool graphing export # jan/07/2012 12:56:49 by RouterOS 5.9 # software id = 1BS6-EST0 # ...
by tjc
Fri Jan 06, 2012 6:01 am
Forum: General
Topic: Webfig Not Working
Replies: 1
Views: 3684

Re: Webfig Not Working

Yes. It needs to be enabled in the configuration, accessible for the address range, and not blocked by firewall rules. The following CLI command will show if it is enabled, the port and allowed addresses: /ip service print detail Also note that for the default configuration webfig is NOT accessible ...
by tjc
Wed Jan 04, 2012 4:11 am
Forum: Beginner Basics
Topic: DHCP assigment static IP
Replies: 4
Views: 28945

Re: DHCP assigment static IP

You can use both, but only need to specify one, so using just the MAC address would probably simplify your life and reduce the chance of errors.

Using client-id is much more common when you're assigning based on host name.
by tjc
Wed Jan 04, 2012 4:02 am
Forum: Beginner Basics
Topic: Question : Add one/range external ip to local network
Replies: 6
Views: 904

Re: Question : Add one/range external ip to local network

Your best bet may be to start with a networking primer. DMZ is a pretty standard term for the part of your network that is exposed to the outside world. In an advanced setup isolated between the outer and inner firewall, in a SOHO setup usually a network segment isolated on a particular port. For ex...
by tjc
Mon Jan 02, 2012 5:39 pm
Forum: Beginner Basics
Topic: DHCP: clientID
Replies: 1
Views: 8748

Re: DHCP: clientID

When a users machine makes a DHCP request it can optionally include an id. Typically this is something like a known host name, but IIRC it can be arbitrary. The DHCP server can then use this id to identify the machine and assign an address to it. When configuring static leases under "/ip dhcp-server...
by tjc
Sun Jan 01, 2012 10:24 pm
Forum: General
Topic: problem with routerboard 750g .. anybody help ?
Replies: 12
Views: 1628

Re: problem with routerboard 750g .. anybody help ?

I would recommend mapping them to private LAN addresses so you're not blocking some real site or network. So rather than; 30.30.30.0/24, 50.50.50.0/24, 60.60.60.0/24, 70.70.70.0/24, you should probably use something like; 10.10.0.10, 10.10.0.20, 10.10.0.30, 10.10.0.40, ...(*) Also you may want to ma...
by tjc
Sun Jan 01, 2012 10:11 pm
Forum: Beginner Basics
Topic: Question : Add one/range external ip to local network
Replies: 6
Views: 904

Re: Question : Add one/range external ip to local network

For that see fewi's configuration tutorial which covers setting up port forwarding for a DMZ server. http://wiki.mikrotik.com/wiki/How_to_co ... ome_router
by tjc
Sun Jan 01, 2012 8:25 pm
Forum: Beginner Basics
Topic: Question : Add one/range external ip to local network
Replies: 6
Views: 904

Re: Question : Add one/range external ip to local network

The answer is "maybe" but it's not really clear what you're trying to do. Are you trying to remotely administer your router from an external (WAN) location? That's certainly possible, and relatively simple using firewall rules and server (ssh, http, https) configuration. Are you trying to get to a L...
by tjc
Sun Jan 01, 2012 8:10 pm
Forum: Beginner Basics
Topic: DHCP assigment static IP
Replies: 4
Views: 28945

Re: DHCP assigment static IP

Make static may not be the way to do 100 users, but if you do one case and export the configuration before and after, you can compare the exports and then write CLI commands based on that example. This can be a very useful technique since the documentation is often short on examples. Based on that k...
by tjc
Sat Dec 31, 2011 2:29 am
Forum: General
Topic: IPv6 package grayed out?
Replies: 1
Views: 474

Re: IPv6 package grayed out?

In webfig go to system -> packages and click on ipv6 (or any other package in the list). This will take you to a page with 3 buttons across the top - [Cancel] [Enable] [Disable]. Click enable. You may need to reboot for it to take effect.
by tjc
Sat Dec 31, 2011 2:07 am
Forum: General
Topic: problem with routerboard 750g .. anybody help ?
Replies: 12
Views: 1628

Re: problem with routerboard 750g .. anybody help ?

See my response to your duplicate post here: http://forum.mikrotik.com/viewtopic.php?f=14&t=57889
by tjc
Mon Dec 26, 2011 9:12 pm
Forum: Forwarding Protocols
Topic: routerboard 750g .. anybody help ?
Replies: 1
Views: 1039

Re: routerboard 750g .. anybody help ?

Network details would probably help you get a good answer. Most Cable/DSL modems use a fixed address in one of the private ranges for their Web UI. For example the Motorola Surfboard modems default to 192.168.100.1. With a single modem there are a couple easy ways to deal with this on your external ...
by tjc
Sat Dec 24, 2011 5:19 am
Forum: Beginner Basics
Topic: Mikrotik Package Types
Replies: 4
Views: 762

Re: Mikrotik Package Types

http://wiki.mikrotik.com/wiki/Manual:System/Packages

Go to the DL page and chose your model family using the Devices pulldown. It will redirect you to the set for the appropriate architecture. e.g. RB700 Series and RB400 series are both mipsbe.
by tjc
Sat Dec 24, 2011 5:13 am
Forum: Beginner Basics
Topic: Upgrade Procedure
Replies: 2
Views: 620

Re: Upgrade Procedure

Does anyone follow a certain procedure when they go to update the OS on a RB? Yes. 1) Make a backup using the /system backup command or the webfig equivalent and an export of the whole configuration. 2) Download both to my management workstation. 3) Upload the desired packages. You can do this eith...
by tjc
Tue Dec 06, 2011 5:44 am
Forum: General
Topic: No IGMP Proxy in RB750GL
Replies: 5
Views: 2429

Re: No IGMP Proxy in RB750GL

Please tell me WHY RB750G has IGMP Proxy and RB750GL does not ? Why don't you (Mikrotik People) clearly state the differences between 750G and 750GL in your propaganda? (because if I knew it's about 10$...) As previously noted you only don't have it because the optional package isn't installed. Bot...
by tjc
Mon Dec 05, 2011 1:16 am
Forum: General
Topic: graphs deleted after reboot on v.5.0 / slow NTP sync
Replies: 52
Views: 15009

Re: graphs deleted after reboot on v.5.0 / slow NTP sync

Same here. With the NTP sync improvement in 5.9 my graphs have now survived multiple reboots. :)
by tjc
Thu Dec 01, 2011 5:48 am
Forum: General
Topic: Package problem
Replies: 2
Views: 431

Re: Package problem

And will the configuration be preserved upon re-installation of the packages or upgrade?
Yes.
by tjc
Tue Nov 22, 2011 7:53 pm
Forum: Beginner Basics
Topic: Router OS Version supported by 411AH & 411AR
Replies: 1
Views: 427

Re: Router OS Version supported by 411AH & 411AR

The following (or the webfig/winbox menu equivalent) will show the information:
/system license print
On the other hand based on comments from MikroTik support, for RouterBoard hardware they seem to allow upgrading to whatever the latest version is, with a license update if necessary.
by tjc
Tue Nov 22, 2011 7:47 pm
Forum: Beginner Basics
Topic: Setup RB450
Replies: 1
Views: 527

Re: Setup RB450

When you're using the DHCP server it supplies all the routing and gateway info to the clients. Are you providing equivalent values when you set up static IPs? Also are the static IPs in the correct range for the LAN configuration on your router? If the router is configuring it's LAN addresses in the...
by tjc
Tue Nov 22, 2011 7:11 pm
Forum: Scripting
Topic: Problem with /ip route find [solved]
Replies: 4
Views: 11705

Re: Problem with /ip route find

Looks like you're missing an "="...
[admin@MikroTik] > :put [/ip route find dst-address 0.0.0.0/0]

[admin@MikroTik] > :put [/ip route find dst-address=0.0.0.0/0] 
*30000001
Also note that the bit inside the [] doesn't print anything on the console regardless. You have to use :put for that.
by tjc
Sat Nov 19, 2011 7:21 pm
Forum: Beginner Basics
Topic: Help: New to Mikrotik router. Need help to configure.
Replies: 5
Views: 870

Re: Help: New to Mikrotik router. Need help to configure.

There are a number of basic tutorials on the wiki, for a more complex setup fewi's config guide is probably a good place to start. http://wiki.mikrotik.com/wiki/How_to_co ... ome_router
by tjc
Fri Nov 18, 2011 6:05 am
Forum: Beginner Basics
Topic: System Date and Time Problem
Replies: 6
Views: 2314

Re: System Date and Time Problem

Here is a slightly over elaborate example.
http://wiki.mikrotik.com/wiki/Manual:Sc ... ce_for_NTP

My simplified version is in this post:
http://forum.mikrotik.com/viewtopic.php ... tp#p272010
by tjc
Sat Nov 12, 2011 7:57 pm
Forum: RouterBOARD hardware
Topic: Trouble starting out with my RB450
Replies: 4
Views: 2553

Re: Trouble starting out with my RB450

I tried to access via the IP 192.168.88.1/24 but it comes back as being unable to connect. (First problem) In IP Addresses it correctly lists 192.168.88.1/24 on ether1, but can't connect to it. Try connecting to ether2. With the default config ports 2-5 are the LAN ports which are set to 192.168.88...
by tjc
Sat Nov 12, 2011 7:44 pm
Forum: RouterBOARD hardware
Topic: My routerboard 750G ,, not booting :(
Replies: 3
Views: 1443

Re: My routerboard 750G ,, not booting :(

Your best bet is probably to use the netinstall utility to re-install the OS: http://wiki.mikrotik.com/wiki/Netinstall
by tjc
Sun Nov 06, 2011 7:19 pm
Forum: Beginner Basics
Topic: Webbox access on 5.8
Replies: 4
Views: 906

Re: Webbox access on 5.8

If you're coming in from outside the LAN (i.e. a smart phone on your mobile providers network) the default configuration may be blocking access. Look at your firewall configuration and which addresses or interfaces the services are configured to allow access to. Also note that carelessly opening thi...
by tjc
Thu Nov 03, 2011 3:57 am
Forum: Beginner Basics
Topic: Firewall settings - Browser interface v.s. winbox interface
Replies: 6
Views: 1244

Re: Firewall settings - Browser interface v.s. winbox interf

BTW - Webfig in 5.x is far more sophisticated. The one in 4.x is a bit skeletal.
by tjc
Thu Oct 27, 2011 6:09 am
Forum: General
Topic: How to block specific port for range of IP Addresses?
Replies: 27
Views: 35394

Re: How to block specific port for range of IP Addresses?

/ip firewall filter chain=input action=drop protocol=tcp src-address-list=No Entertainment Webpage in-interface=ether4-Office LAN dst-port=8080 /ip firewall filter No Entertainment Webpage=192.168.0.161-192.168.0.180 1) You should not put spaces in the names. 2) That's the wrong syntax for defining...
by tjc
Thu Oct 27, 2011 5:48 am
Forum: Beginner Basics
Topic: How can I access my RB750GL via PoE port?
Replies: 13
Views: 4318

Re: How can I access my RB750GL via PoE port?

Where to begin... Out of the box (or after a hard reset) a RB750GL is configured as a firewall router with a public WAN side on port 1 and private LAN side on ports 2-5. This is obviously only a partial match for your situation. On the other hand you still have a WAN input coming from the ADSL modem...
by tjc
Wed Oct 26, 2011 6:03 am
Forum: RouterBOARD hardware
Topic: Router Stucks between 4-8 PM evening Daily
Replies: 10
Views: 1243

Re: Router Stucks between 4-8 PM evening Daily

More detail earlier is the way to go with these questions. The real key to this kind of troubleshooting is to ask yourself two simple questions. - What else happens when we see the symptoms. This is pure brainstorming. Be ready to consider even the remotely possible like "a nearby star is causing in...
by tjc
Tue Oct 25, 2011 6:06 am
Forum: Beginner Basics
Topic: 750GL - Do I need to change anything to be safe?
Replies: 2
Views: 536

Re: 750GL - Do I need to change anything to be safe?

The default config is moderately safe if you enabled the firewall. For a next step I'd recommend a walk through the webfig or winbox menus to shut off or disable any packages or services that you don't need. Not using ppp or hotspot or ipv6? Disable them. Also limit the address ranges or interfaces ...
by tjc
Tue Oct 25, 2011 5:52 am
Forum: Beginner Basics
Topic: Auto-updated hostnames from DHCP
Replies: 1
Views: 858

Re: Auto-updated hostnames from DHCP

You have at least a couple options: - Make the DHCP assignment for the various mac addresses static. This is trivial to do from either winbox or webfig. Search for "make-static" in the on-line manuals. The webfig menu path is: IP -> DHCP Server -> Leases -> <Lease> -> Make Static You can even write ...
by tjc
Tue Oct 25, 2011 5:13 am
Forum: RouterBOARD hardware
Topic: Router Stucks between 4-8 PM evening Daily
Replies: 10
Views: 1243

Re: Router Stucks between 4-8 PM evening Daily

Are any of the antennas for your main wireless links facing west into the setting sun? An old time microwave tech I used to know told a "war story" about troubleshooting a corporate link that had weird problems every morning about the same time of day. It turned out that the antenna on the customer...
by tjc
Sat Oct 22, 2011 7:08 pm
Forum: General
Topic: NOT TO DO. Weird instalations?
Replies: 380
Views: 236669

Re: NOT TO DO. Weird instalations?

I almost sprayed tea all over the monitor when I saw those pictures.

I've done some "field expedient" engineering in my time, but that is way out there.
by tjc
Sat Oct 22, 2011 6:49 pm
Forum: Beginner Basics
Topic: How can I access my RB750GL via PoE port?
Replies: 13
Views: 4318

Re: How can I access my RB750GL via PoE port?

First lets clear up some misconceptions. The fact that the PoE port and the WAN port are the same is coincidental. The PoE is a physical "that's where the extra wiring is", but the fact that it's also the WAN port is just a role assignment. If the configuration assigned port 5 as the WAN port you'd ...
by tjc
Sat Oct 22, 2011 6:14 am
Forum: Beginner Basics
Topic: How can I access my RB750GL via PoE port?
Replies: 13
Views: 4318

Re: How can I access my RB750GL via PoE port?

You need to open up the firewall rules to allow external traffic on the input chain.

See this tutorial: http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router
by tjc
Thu Oct 20, 2011 3:57 am
Forum: RouterBOARD hardware
Topic: telnet via internet on RB450
Replies: 6
Views: 1007

Re: telnet via internet on RB450

Are you using the default firewall config? (hint what does /ip firewall filter export show?)

If so the input chain may be dropping traffic from the external interface.

BTW - Doing remote admin via telnet is a bad idea. You should be using ssh or an encrypted webfig session.
by tjc
Tue Oct 18, 2011 7:11 am
Forum: General
Topic: Did anyone tried AMD Zacate
Replies: 5
Views: 1205

Re: Did anyone tried AMD Zacate

450G has a AR7161 0.68 Ghz single core (MIPS 24K). Zacate E350 is a 1.6 Ghz dual core. There is a bit of an apples and oranges comparison because of the different architectures. For example you don't see ARM processors used for routers because they're supposedly not well suited for it. On the other ...
by tjc
Tue Oct 18, 2011 6:41 am
Forum: Beginner Basics
Topic: Script Policies
Replies: 2
Views: 969

Re: Script Policies

by tjc
Tue Oct 18, 2011 6:27 am
Forum: Scripting
Topic: Packaging script
Replies: 12
Views: 4061

Re: Packaging script

- Simple NTP is already builtin, so no need to install the NTP package unless the router is providing an NTP server to the site. - There's no need to install the packages separately. You can upload the combined package and the NTP package to the router at the same time and reboot once. - You're forg...
by tjc
Mon Oct 17, 2011 7:50 am
Forum: General
Topic: RB750GL Strange Problem
Replies: 24
Views: 2180

Re: RB750GL Strange Problem

No i don't use traceroute. Definite worth a shot. If routing is breaking down some where it's probably the simplest way to figure out where. Other things to look at... From a PC on your LAN check it's routes and make sure it still thinks the router is it's gateway. As someone else suggested it migh...
by tjc
Mon Oct 17, 2011 7:20 am
Forum: Scripting
Topic: Is it possible to edit the comment using script ?
Replies: 1
Views: 579

Re: Is it possible to edit the comment using script ?

Yes. Mostly anyway. You need a find that matches the comment. There are examples in the script samples on the wiki. Once you find the matching records you can set the profile and comment. Doing the string munging is a bit harder. Huh it looks like find works on strings too... So find to locate the r...
by tjc
Sun Oct 16, 2011 7:48 am
Forum: General
Topic: RB750GL Strange Problem
Replies: 24
Views: 2180

Re: RB750GL Strange Problem

Do you have any QOS switching configured? Maybe under UPS power it's ending up in an odd state? No i don't have QOS. i directly connected to the RB with wire on lan 4. QOS also applies to hard wired systems. If you have multiple lines and do load balancing, or fail over, or ... you are probably usi...
by tjc
Sat Oct 15, 2011 6:28 pm
Forum: General
Topic: RB750GL Strange Problem
Replies: 24
Views: 2180

Re: RB750GL Strange Problem

Interesting problem. So what could be different when the system is running on UPS power? There must be something. Is it a continuous system or is there some switching delay? (do the router or the modems lose power and reboot) Have you checked the routes when it's running on the UPS? Are the differen...
by tjc
Thu Oct 13, 2011 4:41 am
Forum: RouterBOARD hardware
Topic: Router Stucks between 4-8 PM evening Daily
Replies: 10
Views: 1243

Re: Router Stucks between 4-8 PM evening Daily

Are any of the antennas for your main wireless links facing west into the setting sun?
by tjc
Sat Oct 08, 2011 7:05 pm
Forum: General
Topic: v5.6 released
Replies: 91
Views: 20825

Re: v5.6 released

IIRC the graphing issue is related to the NTP server package taking too long to sync the system clock, and when the graphs are updated the time gap causes it to clear them. If you don't need the NTP server capabilities, using the simple NTP client rather than the separate package is supposed to avoi...
by tjc
Sat Oct 08, 2011 6:54 pm
Forum: RouterBOARD hardware
Topic: RB751U-2HnD not IPv6 capable?
Replies: 2
Views: 940

Re: RB751U-2HnD not IPv6 capable?

Do you have the IPV6 package installed and enabled? IIRC it is not enabled by default.

BTW - Look under /system packages for it.
by tjc
Sat Oct 08, 2011 6:44 pm
Forum: Beginner Basics
Topic: Move config from one RB to another
Replies: 2
Views: 2374

Re: Move config from one RB to another

A script is probably the best way. Start with an export file from the router you want to use as you master configuration. To simplify things you can trim out anything which you don't care about (for example is you're not using bgp or ospf you can leave those out) or anything you've left at the defau...
by tjc
Tue Oct 04, 2011 8:17 am
Forum: General
Topic: How can i get this to work for each Ip Address
Replies: 1
Views: 1379

Re: How can i get this to work for each Ip Address

Not sure what the question is exactly so this is just a guess, are you trying to get those mangle rules to be applied for a certain set of IP addresses? If so you need two things; #1 an address list with either the IPs to apply it to or the ones not to apply it to. For example "throttlingList" #2 Mo...
by tjc
Mon Oct 03, 2011 3:52 am
Forum: Beginner Basics
Topic: connecting 2 sites together
Replies: 2
Views: 365

Re: connecting 2 sites together

Firewall rules?
by tjc
Sun Oct 02, 2011 9:55 pm
Forum: General
Topic: Hi all
Replies: 4
Views: 838

DHCP Server problems (was Re: Hi all)

The DHCP server does work in those versions, but given how the RouterOS configuration language tends to change, you might have something from an older version that it doesn't like. I wouldn't go to the full reset path, but probably would drop the old DHCP config and redo that bit. Just fire up webfi...
by tjc
Sat Oct 01, 2011 7:40 pm
Forum: General
Topic: NAT not sufficient.
Replies: 3
Views: 576

Re: NAT not sufficient.

You may want to narrow that "accept" rule some. Limiting it by source address or allowed ports will help reduce your exposure.
by tjc
Sat Oct 01, 2011 7:23 pm
Forum: Beginner Basics
Topic: Change multiple router settings with one script
Replies: 1
Views: 568

Re: Change multiple router settings with one script

Yes of course. There are few things that you can't do from the API (e.g. one that recently came up is import SSL certificates) but most stuff you can do from a console session (including issuing multiple commands to change multiple settings) you can do from the API.
by tjc
Sat Oct 01, 2011 7:18 pm
Forum: Beginner Basics
Topic: can't access 2nd rb750g via winbox
Replies: 11
Views: 3189

Re: can't access 2nd rb750g via winbox

It almost sounds like your ISP isn't routing to the 2nd address properly.

Have you tried a traceroute to see where the packets are going?
by tjc
Sat Oct 01, 2011 7:14 pm
Forum: Beginner Basics
Topic: Basic setup
Replies: 3
Views: 652

Re: Basic setup

See fewi's recent beginners setup guide. It's very detailed and covers some NAT basics: http://wiki.mikrotik.com/wiki/How_to_co ... ome_router

The reference page is also quite useful: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
by tjc
Sat Oct 01, 2011 7:05 pm
Forum: Beginner Basics
Topic: Unable to login in webfig linux fedora
Replies: 2
Views: 662

Re: Unable to login in webfig linux fedora

WFM. I've never used anything but my Fedora (currently F15) based WS to administer a RB750G, using either webfig (and Firefox) or ssh. This is with RouterOS versions from 4.17 through the current 5.7. What version of Fedora? What browser are you using? Are you connecting using HTTP or HTTPS? What pl...
by tjc
Fri Sep 30, 2011 4:27 am
Forum: Scripting
Topic: Packaging script
Replies: 12
Views: 4061

Re: Packaging script

I was referring to the possibility of creating a package that contains many scripts, not just one. There's a very small difference between having one script on a computer and many. Especially given remote access. Think of that first script as your setup boot strap. You could have it retrieve as man...
by tjc
Thu Sep 29, 2011 3:53 am
Forum: Beginner Basics
Topic: Disable logging in a script
Replies: 1
Views: 796

Re: Disable logging in a script

I don't know about turning it off, but you can redirect and limit it. See this manual page on the wiki: http://wiki.mikrotik.com/wiki/Manual:System/Log#Logging_configuration The key is probably to create a custom action (say "smallMemory" with a limit of maybe 5 lines) and redirect script output to ...
by tjc
Thu Sep 29, 2011 3:35 am
Forum: Scripting
Topic: Packaging script
Replies: 12
Views: 4061

Re: Packaging script

You apparently can customize the default settings script when using netinstall.
by tjc
Sun Sep 25, 2011 10:55 pm
Forum: General
Topic: Problem upgrading bootloader
Replies: 15
Views: 4801

Re: Problem upgrading bootloader

My successes were more or less the same only with webfig rather than winbox. I don't think I've ever tried to upgrade the bootloader from the CLI.
by tjc
Sun Sep 25, 2011 3:07 am
Forum: General
Topic: Erase Default Configuration Script
Replies: 6
Views: 2421

Re: Erase Default Configuration Script

So to get netinstall to setup an image with a custom configure script see this page: http://wiki.mikrotik.com/wiki/Netinstall Looks like you check the "Configure script" box and specify the script file in the text filed to the right of that. Can someone who has done this confirm?
by tjc
Sat Sep 24, 2011 6:53 pm
Forum: Beginner Basics
Topic: 2wan,1lan,2 gateway how please
Replies: 1
Views: 493

Re: 2wan,1lan,2 gateway how please

This wiki page covers a two WAN setup: http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling

There is a lot of other good info on the wiki: http://wiki.mikrotik.com/wiki/Manual
by tjc
Sat Sep 24, 2011 5:59 pm
Forum: Beginner Basics
Topic: question on configuring WEBfig
Replies: 6
Views: 4575

Re: question on configuring WEBfig

what do you mean a certificate? how is this done?
http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html

For private admin purposes a self signed certificate is probably sufficient.
by tjc
Sat Sep 24, 2011 5:46 pm
Forum: Beginner Basics
Topic: hiding mikrotik 5.0rc3 first page on port 80
Replies: 1
Views: 397

Re: hiding mikrotik 5.0rc3 first page on port 80

Restricting access to it so that only specified Admin machines can connect is one possibility, either via the server config (allowed IP) or using firewall rules (IP or interface). The problem is that until you logon there's no other way for it to know that you're an admin. If restricting access by I...
by tjc
Sat Sep 24, 2011 5:07 pm
Forum: RouterBOARD hardware
Topic: RB750 CPU LOAD 100%
Replies: 9
Views: 7207

Re: RB750 CPU LOAD 100%

Have you run "/tool profile" to see what is using all the CPU?
by tjc
Sat Sep 24, 2011 6:54 am
Forum: General
Topic: Erase Default Configuration Script
Replies: 6
Views: 2421

Re: Erase Default Configuration Script

If I'm reading the script correctly that just runs it with the action set to "revert".

At a guess that script is baked in as part of the OS image and can't be changed other than as part of it.
by tjc
Sat Sep 24, 2011 6:12 am
Forum: Beginner Basics
Topic: question on configuring WEBfig
Replies: 6
Views: 4575

Re: question on configuring WEBfig

You have to give it a certificate for it to work. As for a "standard" firewall there are a number described in the documentation on the wiki. http://wiki.mikrotik.com/wiki/Category:Firewall A minimal one allows establish and related connection and drops anything else from the outside (WAN) interface...
by tjc
Thu Sep 22, 2011 8:10 pm
Forum: Beginner Basics
Topic: Firewall + Mikrotik usage
Replies: 1
Views: 373

Re: Firewall + Mikrotik usage

It kind of depends on the upstream address. For example: a=128-254 b=1 xyz=2-126 should work with a 7 bit netmask for the downstream "private" range. If you don't have control of the upstream address, it gets a lot harder.
by tjc
Tue Sep 20, 2011 8:09 pm
Forum: General
Topic: $50 for Router Setup and Configuration Guide
Replies: 22
Views: 2168

Re: $50 for Router Setup and Configuration Guide

Fewi's setup guide linked above is very extensive and effectively a CLI tutorial. There are also quite a number of other setup guides and even wizard type setup scripts on the wiki. For example: http://wiki.mikrotik.com/wiki/A_script_ ... ou_started
by tjc
Tue Sep 20, 2011 8:04 pm
Forum: General
Topic: Firewall LOG problem
Replies: 4
Views: 834

Re: Firewall LOG problem

What does your logging rule look like?
by tjc
Tue Sep 20, 2011 7:58 pm
Forum: General
Topic: RB450 running 3.28 OS will not upgrade
Replies: 7
Views: 1375

Re: RB450 running 3.28 OS will not upgrade

That may be due to a specific DHCP bug in 5.7. Still worth a shot. Backup first so you can rollback and they try it.
by tjc
Tue Sep 20, 2011 6:31 pm
Forum: General
Topic: RB450 running 3.28 OS will not upgrade
Replies: 7
Views: 1375

Re: RB450 running 3.28 OS will not upgrade

See this thread where he suggests upgrading to 4.17 first and then to 5.7 http://forum.mikrotik.com/viewtopic.php?f=2&t=55152

(Dang how can a cut&paste get so scrambled? Fixed now...)
by tjc
Tue Sep 20, 2011 6:27 pm
Forum: General
Topic: RB450 running 3.28 OS will not upgrade
Replies: 7
Views: 1375

Re: RB450 running 3.28 OS will not upgrade

That would be my guess. I think Normis would tell you to contact Mikrotik support.
by tjc
Tue Sep 20, 2011 6:19 pm
Forum: General
Topic: RB450 running 3.28 OS will not upgrade
Replies: 7
Views: 1375

Re: RB450 running 3.28 OS will not upgrade

Is 3.28 before the 7->8 character license id key change? You may need to get an updated license...

What does this show:
/system license print
by tjc
Tue Sep 20, 2011 5:50 pm
Forum: RouterBOARD hardware
Topic: RB750G firmware upgrade problem
Replies: 28
Views: 14458

Re: RB750G firmware upgrade problem

What packages did you install for 5.7?
What I'm wondering here is if you might get different results using the combined .npk package versus the separate ones...
by tjc
Tue Sep 20, 2011 5:47 pm
Forum: RouterBOARD hardware
Topic: RB751
Replies: 73
Views: 20873

Re: RB751

Just a curiosity question, can the USB port be used as a console port? That would be very cool.
by tjc
Tue Sep 20, 2011 4:55 am
Forum: RouterBOARD hardware
Topic: Fried RB450G?
Replies: 7
Views: 936

Re: Fried RB450G?

How about a USB to serial adapter?
by tjc
Tue Sep 20, 2011 4:53 am
Forum: RouterBOARD hardware
Topic: RB750G firmware upgrade problem
Replies: 28
Views: 14458

Re: RB750G firmware upgrade problem

What packages did you install for 5.7?
by tjc
Mon Sep 19, 2011 7:54 am
Forum: General
Topic: CPU frequency RB750G set to 100 MHz
Replies: 7
Views: 5052

Re: CPU frequency RB750G set to 100 MHz

Be aware that the clock speed change doesn't take effect until you reboot. Not sure if the "keep-frequency" matters or not, I'd have to check the on-line documentation. I've been thinking about dialing mine down to about half speed to see if it saves power. Of course it already draws very little so ...
by tjc
Sun Sep 18, 2011 6:31 pm
Forum: General
Topic: Accessing SSH or WINBOX
Replies: 6
Views: 3768

Re: Accessing SSH or WINBOX

Also consider configuring SSH on a nonstandard port. That cuts down on the number of probes like 100x. While this won't stop a determined attacker who has specifically targeted you, it will cut down on the number of attempts by scanners looking for easy targets. Sometimes you don't have to run faste...
by tjc
Sun Sep 18, 2011 6:19 pm
Forum: General
Topic: Accessing SSH or WINBOX
Replies: 6
Views: 3768

Re: Accessing SSH or WINBOX

You can add a rule or rules above that which accept traffic on the two relevant ports (22 and 8291). You should also do one or more of the following to make that a bit safer: - Limit the src address(es) allowed to connect to those ports - Set up a port knocking scheme as shown in this how-to - http:...
by tjc
Sun Sep 18, 2011 4:51 pm
Forum: General
Topic: Accessing SSH or WINBOX
Replies: 6
Views: 3768

Re: Accessing SSH or WINBOX

It looks like your firewall rules explicitly allow winbox, and it looks like you were connecting with it to capture those images, so what's the problem?

Are you trying to prevent other people from accessing it?
by tjc
Sun Sep 18, 2011 4:38 pm
Forum: Beginner Basics
Topic: setting up rb433
Replies: 3
Views: 753

Re: setting up rb433

http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router - A new CLI tutorial http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router - An older tutorial http://wiki.mikrotik.com/wiki/A_script_to_set_up_WAN/LAN/WLAN_to_get_you_started - An automated setup script. http://wiki.mikrotik.com/wik...
by tjc
Sun Sep 18, 2011 2:28 am
Forum: General
Topic: Problem upgrading bootloader
Replies: 15
Views: 4801

Re: Problem upgrading bootloader

I'm pretty sure that is misinformation, since my RB750G is working just fine with the latest 5.7 and boot loader 2.36. [admin@MikroTik] > /system routerboard print routerboard: yes model: 750G serial-number: 268E0173081C current-firmware: 2.36 upgrade-firmware: 2.36 [admin@MikroTik] > /system resour...
by tjc
Sat Sep 17, 2011 7:34 pm
Forum: General
Topic: Problem with rb750 configuration, cant ping from other subne
Replies: 2
Views: 1586

Re: Problem with rb750 configuration, cant ping from other s

Hi, I changed 433 for rb750g. At first I could restore backup from rb433(same versions of routeros - 4.6). Backups are specific to the router you made them on due to things like serial numbers and MAC addresses. You can't use a backup from one 433 on another let along another model. Then I exported...
by tjc
Sat Sep 17, 2011 7:05 pm
Forum: General
Topic: Problem upgrading bootloader
Replies: 15
Views: 4801

Re: Problem upgrading bootloader

Similar issues reported in this thread http://forum.mikrotik.com/viewtopic.php?f=3&t=55044 and the 5.7 announcement thread. Using a different path (i.e. CLI/Winbox/Webfig) or doing the upgrade step wise may help.
by tjc
Sat Sep 17, 2011 6:58 pm
Forum: General
Topic: RouterOS v5.7 released
Replies: 227
Views: 67243

Re: RouterOS v5.7 released

Anyone had any issues upgrading the routerboard bootloader firmware? It took a couple of tries on some other units but I have a 450G that's not taking the upgrade. It says it is, but after a reboot it's still the same. I haven't had this issue with previous versions. The same problem i am experienc...
by tjc
Sat Sep 17, 2011 5:35 am
Forum: Beginner Basics
Topic: Question about opening a port.
Replies: 2
Views: 367

Re: Question about opening a port.

You may need a NAT rule to map from the external IP and www or https port to the server.

BTW - Information about the current router config would help you get a better answer. There's a standard list of exports that the pros ask for.
by tjc
Sat Sep 17, 2011 5:27 am
Forum: General
Topic: RouterOS v5.7 released
Replies: 227
Views: 67243

Re: RouterOS v5.7 released

I noticed that after the upgrade my l2mtu is now 1520 rather than 1524 as previously documented. Not a serious issue for me, but it seems like it might be for folks who've tuned their MTUs on other gear to match the old values.

Any particular reason for the change?
by tjc
Sat Sep 17, 2011 5:21 am
Forum: General
Topic: graphs deleted after reboot on v.5.0 / slow NTP sync
Replies: 52
Views: 15009

Re: graphs deleted after reboot on v.5.0 / slow NTP sync

I got bit by this again last night after rebooting to upgrade to 5.7, despite setting the "update to disk interval" to an hour so the NTP client would have time to sync. As a software guy, Chupaka's suggestion makes a lot of sense, if you know that the current time is bogus, and the file date is far...
by tjc
Sat Sep 17, 2011 5:14 am
Forum: Beginner Basics
Topic: [How to] configure a home router
Replies: 3
Views: 602

Re: [How to] configure a home router

Very nice... That's far more of a CLI tutorial than just a simple setup how to. :D
by tjc
Sat Sep 17, 2011 5:06 am
Forum: RouterBOARD hardware
Topic: RB750G firmware upgrade problem
Replies: 28
Views: 14458

Re: RB750G firmware upgrade problem

You might try going step wise. I just did this last night going from 5.6 with boot loader version 2.29 to 5.7 with version 2.36 without any problems. The big difference seems to that I'd already upgraded from 5.5 to 5.6. No idea why it might make a difference, but it's certainly worth a shot. I just...
by tjc
Fri Sep 16, 2011 3:45 am
Forum: General
Topic: RouterOS v5.7 released
Replies: 227
Views: 67243

Re: RouterOS v5.7 released

*) improved ipv4 forwarding performance on all boards with simple configuration by up to 30% I can't place this improvement. Can anybody explain? They obviously cut the basic packet latency. If your firewall, queue rules, bridging, ... don't swamp the difference you'll see an improvement. If before...
by tjc
Thu Sep 15, 2011 4:27 am
Forum: Beginner Basics
Topic: ip firewall confusion
Replies: 16
Views: 1160

Re: ip firewall confusion

so what is my source address? no one has answered that. since not adding a ! makes the rule work. im still quite confused, and the rules fewi posted above don't work for me In the example you gave? 101.0.1.254 The rule you gave explicitly doesn't not match anything in that address range, so it's ig...
by tjc
Wed Sep 14, 2011 5:27 am
Forum: Beginner Basics
Topic: ip firewall confusion
Replies: 16
Views: 1160

Re: ip firewall confusion

Anything which is not forbidden is allowed. Ask yourself, what happens if you have no filter rules? If you said "everything is accepted" you get a gold star. Now filter rules 101: Packets are compared against each rule in the relevant chain until one of the following occurs; 1) They match and are ex...
by tjc
Wed Sep 14, 2011 5:10 am
Forum: Scripting
Topic: How to drop a particular site for a particular pravite IP...
Replies: 5
Views: 1000

Re: How to drop a particular site for a particular pravite I

You would need to write a simple script that runs every minute or so and looks for the MAC address. Something like this: :local IPaddress [/ip dhcp-server lease get [find mac-address="FF:FF:FF:FF:FF:FF"] address] /ip firewall filter add action=drop chain=forward comment="Drop unwanted connections" s...
by tjc
Sun Sep 11, 2011 7:18 pm
Forum: General
Topic: API Port 8728 - Not Available
Replies: 13
Views: 18506

Re: API Port 8728 - Not Available

BTW - You should really lock down some of those services. I would disable the unencrypted ones and limit the allowed addresses for the rest.
by tjc
Sun Sep 11, 2011 7:10 pm
Forum: General
Topic: API Port 8728 - Not Available
Replies: 13
Views: 18506

Re: API Port 8728 - Not Available

Not if I don't tell it scan ports in that range (default is only 1-1000), but if I do yes. [tjc@x2 ~]$ nmap -p1-1000,8000-8999 router Starting Nmap 5.50 ( http://nmap.org ) at 2011-09-11 12:09 EDT Nmap scan report for router (192.168.1.1) Host is up (0.0033s latency). Not shown: 1995 closed ports PO...
by tjc
Sun Sep 11, 2011 6:16 pm
Forum: General
Topic: some youser only access to open only site
Replies: 2
Views: 407

Re: some youser only access to open only site

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall

Your question is too vague to give a specific answer. You may want to read up on firewall configuration, traffic control and related topics then ask about the parts that you didn't understand.
by tjc
Sun Sep 11, 2011 7:16 am
Forum: General
Topic: API Port 8728 - Not Available
Replies: 13
Views: 18506

Re: API Port 8728 - Not Available

I just tested 5.6 with the Python API after enabling the service and it worked. /ip service enable api [admin@MikroTik] > /ip service print where name=api Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 5 api 8728 192.168.1.0/24 Maybe setting an address matters?
by tjc
Sun Sep 11, 2011 6:29 am
Forum: General
Topic: API Port 8728 - Not Available
Replies: 13
Views: 18506

Re: API Port 8728 - Not Available

Have you checked that the user belongs to a group with api permissions?
by tjc
Sun Sep 11, 2011 6:23 am
Forum: General
Topic: disaster need help please
Replies: 15
Views: 1751

Re: disaster need help please

If you can tell what the proxy server addresses are blacklist them. If there's a way to detect the problem connections automatically (you can obviously tell it's happening, what characteristics are you using to identify it?) you can automatically add the destination addresses to a blacklist which wi...
by tjc
Sat Sep 10, 2011 7:38 pm
Forum: Wireless Networking
Topic: 5Ghz wave reflection by double glazing?
Replies: 7
Views: 2175

Re: 5Ghz wave reflection by double glazing?

I don't find this surprising at all. Anything that you put between two RF transceivers is going to interfere with and attenuate the signal to some extent. That depends on the material, it's density, and the the length of transit. It may also refract the signal (think light through a prism) and the l...
by tjc
Sat Sep 10, 2011 6:44 pm
Forum: General
Topic: Problem in MikroTik Connection
Replies: 7
Views: 940

Re: Problem in MikroTik Connection

Too much power at a very short range is like using a bullhorn (powered megaphone) to talk to someone 5 feet away in a small echo prone room. If some is good, more is *not* always better. A sprinkle of salt can make your food taste better, a shovel full of salt can make it inedible. The right amount ...
by tjc
Sat Sep 10, 2011 6:18 pm
Forum: Scripting
Topic: How to drop a particular site for a particular pravite IP...
Replies: 5
Views: 1000

Re: How to drop a particular site for a particular pravite I

This sounds more like a firewall question than a scripting question. Are the private IPs statically assigned? If so a pair of firewall rules should work if you have the firewall enabled and put it at the right place in your forwarding chain. Assuming that the customer is on 10.10.10.10 and the remot...
by tjc
Sat Sep 10, 2011 3:00 am
Forum: Beginner Basics
Topic: Does the 750gl have Voltage monitor and Temp monitor or not
Replies: 1
Views: 824

Re: Does the 750gl have Voltage monitor and Temp monitor or

Probably not since the very similar predecessor RB750G doesn't either. They would appear under:
/system health print
but you may find that the only thing which displays there is a bogus voltage value.
by tjc
Sat Sep 10, 2011 2:51 am
Forum: Scripting
Topic: Scripts won't run
Replies: 11
Views: 3670

Re: Scripts won't run

I think the request was for an external syntax checker with diagnostics. That would definitely be a very useful tool.
by tjc
Thu Sep 08, 2011 8:01 am
Forum: Beginner Basics
Topic: routeros 5.6 need help configuring basic Firewall rules
Replies: 3
Views: 605

Re: routeros 5.6 need help configuring basic Firewall rules

BTW - What hardware are you using? The defaults about are true for models like the RB750, RB450, ... but may not hold for all.
by tjc
Thu Sep 08, 2011 7:59 am
Forum: Beginner Basics
Topic: routeros 5.6 need help configuring basic Firewall rules
Replies: 3
Views: 605

Re: routeros 5.6 need help configuring basic Firewall rules

External WAN ETH1 Default config Internal LAN ETH2 Default config DHCP on ETH2 Default config 10.1.1.0/24 on ETH2 You'll need to change the various LAN addresses from the default of 192.168.88.x to 10.1.1.x. There are 3 main places. /ip address for ether2-local-master /ip dhcp-server network /ip po...
by tjc
Thu Sep 08, 2011 7:25 am
Forum: Scripting
Topic: Handling expected errors?
Replies: 15
Views: 9091

Re: Handling expected errors?

I am aware that the ":execute" command is not documented, but it should be. It works really well. I've been using it since the V2.9.x era. Yeah, mostly just grumbling about the gaps in the documentation, which can be very frustrating. The synchronization is handled by the "done" variable. That is t...
by tjc
Thu Sep 08, 2011 6:54 am
Forum: Scripting
Topic: Handling expected errors?
Replies: 15
Views: 9091

Re: Handling expected errors?

what ROS version you are using?
Running RouterOS 5.6.

On the other hand I was just testing with
:put [:resolve <ip-address-here>]
and did not see any problems. I may have just been at the point where the code on the screen all turns to meaningless squiggly lines, and forgot the ":print" part.
by tjc
Thu Sep 08, 2011 6:12 am
Forum: General
Topic: linux users
Replies: 9
Views: 721

Re: linux users

I don't know about winbox, but the webfig UI can upload the files, or you can scp or sftp them to the router from a Linux box. I've used both sftp and uploading via webfig to upgrade.
by tjc
Thu Sep 08, 2011 6:03 am
Forum: Beginner Basics
Topic: Two question about upgrading to FW version 5.x
Replies: 2
Views: 469

Re: Two question about upgrading to FW version 5.x

if I upgrade would I have to re-configure my router (or do the settings carry over). The settings generally carry over. That said, be sure to do a backup and a full export before upgrading and download them to somewhere safe. You'll want the backup if you decide to roll back to the previous version...
by tjc
Wed Sep 07, 2011 7:25 am
Forum: General
Topic: disaster need help please
Replies: 15
Views: 1751

Re: disaster need help please

Searching for "how to block hotspot shield" should provide some answers. Apparently it uses a proxy service and you can block the addresses associated with that along with ports that it's known to use using simple firewall filter rules. There's apparently even a mikrotik wiki page on this: http://wi...
by tjc
Wed Sep 07, 2011 6:51 am
Forum: Scripting
Topic: Handling expected errors?
Replies: 15
Views: 9091

Re: Handling expected errors?

":execute script-name" - not documented in the manual on the wiki, but does seems to run the script in the background. "/system script run script-name" - doesn't seem to do that. That just leaves the problem of synchronization... And why :resolve often returns nothing when nslookup (using the router...
by tjc
Wed Sep 07, 2011 5:16 am
Forum: General
Topic: Trouble in 5.6
Replies: 24
Views: 1730

Re: Trouble in 5.6

The L7 filtering thing is a known issue, it's supposed to be fixed in 5.7, don't remember if there is any workaround.
by tjc
Tue Sep 06, 2011 6:46 am
Forum: General
Topic: RB750GL and basic settings - security
Replies: 6
Views: 1747

Re: RB750GL and basic settings - security

I'd narrow these rules to just pass the specific ports needed to the specific hosts needed. You mean I should add to the MAIL rule dst-port=25 ? I would narrow the mail rule to a specific port and the vpn rule to a specific host or hosts. I would also put the mail server and anything else which can...
by tjc
Mon Sep 05, 2011 6:20 pm
Forum: General
Topic: RB750GL and basic settings - security
Replies: 6
Views: 1747

Re: RB750GL and basic settings - security

3 ;;; MAIL chain=forward action=accept dst-address=192.168.1.200 4 ;;; VPN chain=input action=accept protocol=tcp dst-port=1723 I'd narrow these rules to just pass the specific ports needed to the specific hosts needed. If possible I'd isolate any servers which will be exposed to the WAN in a "DMZ"...
by tjc
Mon Sep 05, 2011 6:01 pm
Forum: Beginner Basics
Topic: before learn microtik
Replies: 1
Views: 517

Re: before learn microtik

Without knowing what you already understand it's hard to say. Just for starters. At least basic networking and routing. How IP, ICMP, UDP, TCP, ... work together. What host addresses, net masks, network and broadcast addresses are. How to setup the networking on a Unix/Linux box, How basic services ...
by tjc
Mon Sep 05, 2011 5:42 pm
Forum: Beginner Basics
Topic: Problems setting up RB450G, basic home router setup
Replies: 15
Views: 3778

Re: Problems setting up RB450G, basic home router setup

Sorry to hear that. My personal experience with RB was very different, within a couple hours the first night after it arrived (which was a work night) it was doing test firewall duty with the desired addresses, and by the end of that Saturday had been upgraded to RouterOS 5.5, was acting as the NTP ...
by tjc
Mon Sep 05, 2011 5:26 am
Forum: Beginner Basics
Topic: Problems setting up RB450G, basic home router setup
Replies: 15
Views: 3778

Re: Problems setting up RB450G, basic home router setup

Learning how to reset the router and what the default configs are is one of those pieces of info that you just know you're going to need. I've already had to do that at least once after a bad cut & paste created a firewall filter rule that locked me out. Here is the wiki page fewi was talking about:...
by tjc
Sun Sep 04, 2011 11:38 pm
Forum: Beginner Basics
Topic: Problems setting up RB450G, basic home router setup
Replies: 15
Views: 3778

Re: Problems setting up RB450G, basic home router setup

The various new router setup guides on the wiki are worth mentioning too. Although the port knocking setup the one mentions is the type of thing that always makes me a bit nervous, and the firewall rules are a bit elaborate for a newbies SOHO config. http://wiki.mikrotik.com/wiki/Securing_New_Router...
by tjc
Sun Sep 04, 2011 11:24 pm
Forum: Beginner Basics
Topic: RB450, openwrt?? Does any know good direction?
Replies: 6
Views: 1611

Re: RB450, openwrt?? Does any know good direction?

Setting up a RB is a bit more complicated than the average point and grunt consumer router, but it's actually not that hard if you've worked with something like Cisco gear before. Default setup is already firewalled and sane with ether1 as the WAN IF with a DHCP client facing out, and ether2-5 switc...
by tjc
Sun Sep 04, 2011 11:08 pm
Forum: Beginner Basics
Topic: Problems setting up RB450G, basic home router setup
Replies: 15
Views: 3778

Re: Problems setting up RB450G, basic home router setup

Hey fewi, do you usually leave the default 192.168.88.x IPs in place and just add the desired private addresses on top of that?
by tjc
Sun Sep 04, 2011 11:03 pm
Forum: Beginner Basics
Topic: Problems setting up RB450G, basic home router setup
Replies: 15
Views: 3778

Re: Problems setting up RB450G, basic home router setup

Also don't forget to set up an NTP client at the very least so that the router knows the right date & time for logs and such.
by tjc
Sun Sep 04, 2011 10:21 pm
Forum: Beginner Basics
Topic: RB450, openwrt?? Does any know good direction?
Replies: 6
Views: 1611

Re: RB450, openwrt?? Does any know good direction?

You can probably do that, but the RouterOS it came with is also Linux based, and very capable. Unless you have some very particular requirement you might be better off trying it. Like you I discovered the RouterBoard hardware while looking for a SBC to use with a Linux or BSD based router distro, bu...
by tjc
Sun Sep 04, 2011 1:37 am
Forum: Scripting
Topic: Handling expected errors?
Replies: 15
Views: 9091

Re: Handling expected errors?

Wow... When you isolate the problem command in it's own script and run it. It still breaks the outer script. That's just plain broken. janisk - What am I doing wrong here? AFAICT this is what you told me works. 1 name="safe-resolve" owner="admin" policy=read,write,test last-started=sep/03/2011 18:29...
by tjc
Sat Sep 03, 2011 7:27 pm
Forum: Scripting
Topic: Handling expected errors?
Replies: 15
Views: 9091

Re: Handling expected errors?

Since the scripting language doesn't even seem to provide a way to pass parameters to scripts without using global variables (I'd be delighted to learn otherwise) it's especially annoying. To put the resolve into a "safe" wrapper you need to set a global for the input parameter, set another global f...
by tjc
Thu Sep 01, 2011 5:35 am
Forum: Scripting
Topic: Handling expected errors?
Replies: 15
Views: 9091

Re: Handling expected errors?

OK, that gives me some ideas, but it seems really... clunky.

Two scripts to do a simple loop, just because one command could fail, seems to cry out for a bit of language support, like a ":try" or something, or maybe a flavor of [] command substitution that deals with errors.
by tjc
Wed Aug 31, 2011 8:09 am
Forum: Scripting
Topic: Handling expected errors?
Replies: 15
Views: 9091

Handling expected errors?

So I got curious about where the trouble makers in my blacklist were coming from and tried something like this: /ip firewall address-list> :foreach a in=[find where list=blacklist dynamic] do={:put [:resolve [/ip firewall address-list get $a address]] } It's supposed to walk through the dynamic addr...
by tjc
Sun Aug 28, 2011 7:43 am
Forum: General
Topic: Performance troubles with firewall (RB450G)
Replies: 6
Views: 830

Re: Performance troubles with firewall (RB450G)

The product page does show a pretty substantial hit for the firewall and connection tracking: http://routerboard.com/RB450G but with reasonable frame sizes it should still be able to do it. What OS version are you running? (The tests are apparently for v5.x)
by tjc
Sun Aug 28, 2011 3:11 am
Forum: General
Topic: Performance troubles with firewall (RB450G)
Replies: 6
Views: 830

Re: Performance troubles with firewall (RB450G)

What's the MTU set to on your PC? Since most of the RBs only support 1500 (1524 for the L2MTU), you may be fragmenting if both ends of the link think they can do jumbo frames.
by tjc
Sat Aug 27, 2011 10:11 pm
Forum: General
Topic: Performance troubles with firewall (RB450G)
Replies: 6
Views: 830

Re: Performance troubles with firewall (RB450G)

How are you testing and what packet sizes are you using? Also did you mean bits or bytes? I pretty consistently test at the promised 25 Mbps (bits) from Comcast with a RB750G (a step down from your RB450G) with single digit CPU usage for a somewhat more complex than default firewall rule set. Given ...
by tjc
Sat Aug 27, 2011 8:32 pm
Forum: General
Topic: Firewall rule - reject with exception for some IPs
Replies: 3
Views: 1943

Re: Firewall rule - reject with exception for some IPs

You're asking for very, very basic stuff. I often suspect that the missing clue most people new to filtering need is rule S versus rule. You always need to think of a filter rule as only part of a set of rules which work together. Once you internalize the notion of using multiple rules with excepti...
by tjc
Sat Aug 27, 2011 7:55 pm
Forum: Beginner Basics
Topic: i need sample firewall rules help??????????????????
Replies: 6
Views: 2940

Re: i need sample firewall rules help??????????????????

Firewall filtering is easy, the key is figuring out what you want to allow and what you don't. Start with the basics: 1) What are your sources and destinations? WAN or upstream links? LAN or downstream links? 2) Which sources (originating addresses) do you want to have access to the router itself? W...
by tjc
Sat Aug 27, 2011 6:18 am
Forum: General
Topic: Bricked my 450G? Can't access it
Replies: 9
Views: 1324

Re: Bricked my 450G? Can't access it

Did you follow the reset instructions? You also need to cycle the power and wait for the LEDs to flash to reset to default config or until it stops flashing to have it look for a netinstall server. It may take a couple tries to get the timing right. See: http://wiki.mikrotik.com/wiki/Manual:Password...
by tjc
Tue Aug 23, 2011 5:33 am
Forum: Beginner Basics
Topic: Problem setting up a DMZ (and other minor questions)
Replies: 6
Views: 2571

Re: Problem setting up DMZ

It looks like your src/dst are backward here: # 2 Allow hosts on LAN1 interface to establish connections through both DMZ and WAN interfaces /ip firewall filter add chain=forward action=accept out-interface=LAN1 # 3 Allow hosts on DMZ interface to initiate connections through the WAN interface /ip f...
by tjc
Tue Aug 23, 2011 4:50 am
Forum: Beginner Basics
Topic: Problem setting up a DMZ (and other minor questions)
Replies: 6
Views: 2571

Re: Problem setting up a DMZ (and other minor questions)

Adding some filter rules would probably help. Just off the top of my head anything coming from the DMZ to the LAN side should be filtered in the forwarding chain to allow only established or related connections and drop everything else. I'd also limit connections from the DMZ port to the input chain...
by tjc
Sun Aug 21, 2011 8:18 pm
Forum: Beginner Basics
Topic: Basic Config + Multi-Site VPN
Replies: 18
Views: 11104

Re: Basic Config + Multi-Site VPN

Any thing that falls off the end of the list of rules is allowed. So the default firewall config allows ICMP (pings and such) to the router itself (the input chain), and anything from established or related connections, then drops anything else from the "external" WAN interface. This still allows co...
by tjc
Sun Aug 21, 2011 5:20 pm
Forum: Beginner Basics
Topic: Problem setting up a DMZ (and other minor questions)
Replies: 6
Views: 2571

Re: New RB450G - some (probably basic) questions

Did you take the DMZ port out of the local switch group? If not, this:
interface ethernet print
will show the master port as ether2 (your LAN1) and traffic between them will bypass the firewall.