Community discussions

Search found 160 matches

by coylh
Fri May 11, 2018 10:18 pm
Forum: General
Topic: Ping Knock
Replies: 18
Views: 2162

Re: Ping Knock

I envy you the quality of the networks between which you move, I would be afraid to send just a single packet per size because it could be lost :-) Even with the timeout as provided, the penalty of a lost packet is only that you must wait one minute. You're also free to change the timing to a small...
by coylh
Fri Apr 27, 2018 7:46 pm
Forum: General
Topic: Ping Knock
Replies: 18
Views: 2162

Re: Ping Knock

Very client friendly concept. However, I don't understand why all the different "action=return" rules and the ordering in the knock section. I was attempting to get specific behavior. It appears that some of the knock strategies accept the port sequence with any number of incorrectly guessed ports ...
by coylh
Fri Apr 27, 2018 7:29 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 42337

Re: v6.42.1 [current]

It looks like netwatch is in the advanced-tools package.
by coylh
Wed Apr 25, 2018 10:01 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 42337

Re: v6.42.1 [current]

I'm seeing two things:

1. ssh keys are being regenerated as part of the upgrade.
2. Looks like netwatch is gone. Was this planned, or part of vulnerability mitigation?
by coylh
Wed Apr 25, 2018 7:05 pm
Forum: General
Topic: Ping Knock
Replies: 18
Views: 2162

Ping Knock

With the management protocol vulnerabilities, there's been an interest in port knocking. I've been playing around with an alternative using icmp packet sizes as the key. I call it Ping Knocking. # Choose some random ping packet sizes of at least 100 as a knock sequence. # Add 28 to the size in the f...
by coylh
Sat Apr 07, 2018 10:24 pm
Forum: General
Topic: Out of disk space - upgrading hAP Lite from v6.35 to v6.35.2
Replies: 20
Views: 9050

Re: Out of disk space - upgrading hAP Lite from v6.35 to v6.35.2

Or buy products with a respectable amount of flash... 16MB is embarrassing. It's like running your network with floppy disks.
by coylh
Wed Sep 27, 2017 8:30 pm
Forum: RouterBOARD hardware
Topic: CRS317-1G-16S+RM
Replies: 4
Views: 1379

CRS317-1G-16S+RM

The new 10G switches look interesting, until I read that they have only 16 Megabytes of flash. I really like the partitioning feature. It's useful. But this new trend of starving the device of flash is really a turn-off; it makes partitioning useless. I can understand trying to cut costs on a low en...
by coylh
Mon Jul 10, 2017 10:07 pm
Forum: General
Topic: Mark packets on one router so another one can use the marks?
Replies: 7
Views: 1180

Re: Mark packets on one router so another one can use the marks?

You can use DSCP markings if you want. If you choose values unused by your QOS scheme, it won't interfere.
by coylh
Tue Mar 21, 2017 1:15 am
Forum: General
Topic: Vlans in switch chip for CCR
Replies: 3
Views: 643

Re: Vlans in switch chip for CCR

The new version doesn't have a switch chip: "No switch-chip - the device now features only fully independent Ethernet ports each with a direct connection to the CPU, allowing to overcome previous shared 1Gbit limitation from switch-chip ports and utilize full potential of CPU processing power on tho...
by coylh
Sat Mar 11, 2017 3:30 am
Forum: Wireless Networking
Topic: POINT TO MULTI POINT-SECTOR ANTENNA
Replies: 10
Views: 1400

Re: POINT TO MULTI POINT-SECTOR ANTENNA

It depends on the locations. Do your wireless clients move? Can you use directional antennas on the clients? You need to have a three dimensional picture in your mind of the radiation patterns of each antenna in your system. For example, if your base station is using an omni antenna, most of your po...
by coylh
Sat Mar 11, 2017 3:21 am
Forum: Wireless Networking
Topic: CAPSMAN + Apple iPhone = no ip from CAPSMAN DHCP server
Replies: 1
Views: 858

Re: CAPSMAN + Apple iPhone = no ip from CAPSMAN DHCP server

You should run the latest RC firmware on the WAP AC.
by coylh
Sat Mar 11, 2017 3:13 am
Forum: General
Topic: Connecting a Verizon 4GLTE to Router
Replies: 2
Views: 558

Re: Connecting a Verizon 4GLTE to Router

I would be very cautious about this type of connection. Verizon may change their system on a whim and suddenly you will find your connectivity gone. Support will be uninterested in troubleshooting your homebrew custom linux Microtock hardware. The safest strategy is where the internet connection ter...
by coylh
Wed Mar 08, 2017 2:01 am
Forum: RouterBOARD hardware
Topic: Which device for long range (1-2 km) wifi?
Replies: 4
Views: 1565

Re: Which device for long range (1-2 km) wifi?

You'll want something like this: Internet -50m- PtP))) ---2km--- (((PtP -50m- AP))) -50m- (((WirelessClient

Your wireless clients (tablets, laptops, etc) will have very short range (possibly a single room, depending on building construction).
by coylh
Sat Feb 25, 2017 7:57 pm
Forum: Wireless Networking
Topic: wAP ac and CapsMan - how to use both radios with predefined channels?
Replies: 5
Views: 1557

Re: wAP ac and CapsMan - how to use both radios with predefined channels?

/caps-man channel add extension-channel=disabled frequency=2412 name=ch1-2412 add extension-channel=disabled frequency=2417 name=ch2-2417 add extension-channel=disabled frequency=2422 name=ch3-2422 add extension-channel=disabled frequency=2427 name=ch4-2427 add extension-channel=disabled frequency=...
by coylh
Wed Jan 11, 2017 3:54 am
Forum: Wireless Networking
Topic: Bad connection only in channel 6.
Replies: 4
Views: 1145

Re: Bad connection only in channel 6.

What's new in 6.39rc4 (2016-Dec-30 07:16): !) ppp - completely rewritten internal fragmentation algorithm (when MRRU is used), optimized for multicore; *) capsman - added CAP discovery interface list support; *) ethernet - renamed "rx-lose" to "rx-loss" in ethernet statistics; *) health - report fa...
by coylh
Wed Jan 04, 2017 2:15 am
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 79816

Re: v6.39rc [release candidate] is released

I hope this one: http://forum.mikrotik.com/viewtopic.php?f=7&t=115180 I'll try the RC and see if it helps. Hi Guys, Can I please have more info on *) wAP ac - improved 2.4GHz wireless performance; e.g. under what situations is performance "improved" ? I ask as we have had issues with the wAP AC's 2....
by coylh
Tue Dec 27, 2016 3:58 pm
Forum: Wireless Networking
Topic: Bad connection only in channel 6.
Replies: 4
Views: 1145

Re: Bad connection only in channel 6.

I have had the same problem. Support says it will be fixed in a future release.
by coylh
Mon Nov 28, 2016 11:25 am
Forum: General
Topic: $1000 REWARD CCR1036 w/ vlans traffic dropping for a second
Replies: 5
Views: 985

Re: $1000 REWARD CCR1036 w/ vlans traffic dropping for a second

How is the switch configured?
by coylh
Fri Nov 11, 2016 6:03 am
Forum: General
Topic: Weird 129.0.0.x IPs ?
Replies: 30
Views: 4377

Re: Weird 129.0.0.x IPs ?

This happens on the CCR ROS 6.36.3, but not on a 450G with the same version.
by coylh
Fri Nov 11, 2016 5:52 am
Forum: General
Topic: Weird 129.0.0.x IPs ?
Replies: 30
Views: 4377

Re: Weird 129.0.0.x IPs ?

I'm getting the 129 addresses in captures too. It looks like the packets are being damaged or the record of the packet is damaged. I have 172.16.*.* devices talking, and wireshark will show the source address as 129.0.0.*.
by coylh
Tue Sep 20, 2016 1:59 am
Forum: General
Topic: How do you print logs from an SD Card on the CLI?
Replies: 6
Views: 887

Re: How do you print logs from an SD Card on the CLI?

This would be a good feature request. There should be a 'more' type command available from the command line to view logs, backups, or other files stored on the device.
by coylh
Tue Aug 30, 2016 9:44 pm
Forum: RouterBOARD hardware
Topic: wAP AC PoE Compatibility - No Gigabit
Replies: 4
Views: 1225

Re: wAP AC PoE Compatibility - No Gigabit

I'm interested in the results. It's been a struggle to get gigabit dual-band POE access points from Mikrotik, and I'm hoping the WAP AC breaks through this historical barrier.
by coylh
Fri Jul 29, 2016 3:20 am
Forum: RouterBOARD hardware
Topic: Beware of CCR1009-8G-1S-1S+
Replies: 9
Views: 3045

Re: Beware of CCR1009-8G-1S-1S+

Also, I now have about 40 of this model and haven't had any problems.
by coylh
Fri Jul 22, 2016 10:39 am
Forum: Wireless Networking
Topic: CapsMan Scaling (Router)
Replies: 1
Views: 552

Re: CapsMan Scaling (Router)

I don't have much experience with capsman. But I think about things this way: 1. Systems that tunnel user traffic back to the controller don't scale. So, modern systems just use the controller for command and control. This makes the workload of a controller minimal. 2. Mikrotik only makes two produc...
by coylh
Tue Jul 12, 2016 2:12 am
Forum: RouterBOARD hardware
Topic: Advice needed in choosing the right Mikrotik device
Replies: 33
Views: 4122

Re: Advice needed in choosing the right Mikrotik device

Definitelly avoid RB3011 or at least wait, let's say, 6 months to know the reality of this device:
Yes, it works but...
- Partition does not work.
I found that partition still doesn't work yesterday.
by coylh
Wed Jun 15, 2016 12:03 am
Forum: RouterBOARD hardware
Topic: 10G SFP+ and linux
Replies: 2
Views: 761

10G SFP+ and linux

Has anyone tried using http://routerboard.com/Splus85DLC03D on Linux?  How is the driver support?
by coylh
Sat Jun 11, 2016 5:24 am
Forum: Wireless Networking
Topic: capsman dual radios, dual band
Replies: 6
Views: 1884

Re: capsman dual radios, dual band

I don't think so. Each radio matches my first provision rule. Each radio is a R52nM type that can be 2.4 or 5Ghz. I think this would not be a problem in an access point that has dedicated band radios. The trouble is that these cards are too flexible. ;-)
by coylh
Sat Jun 11, 2016 1:31 am
Forum: Wireless Networking
Topic: capsman dual radios, dual band
Replies: 6
Views: 1884

Re: capsman dual radios, dual band

Hi uldis.  Yes, that works.  Though, it means hard coding each radio's mac address into the system, which takes the convenience out of the process.  For an installation of my size it means 150 provisioning rules.  I think it would be useful to consider a regex field for the default interface name (s...
by coylh
Fri Jun 10, 2016 1:18 am
Forum: Wireless Networking
Topic: capsman dual radios, dual band
Replies: 6
Views: 1884

capsman dual radios, dual band

Does capsman allow provisioning radios with the concept of "first radio" and "second radio"? I'm using a RB with two dual-band cards (in the sense that they can each either use 2.4 or 5). I can create two provisioning rules: one for 2.4 and another for 5Ghz. But, both radios in the RB get configured...
by coylh
Wed Jun 01, 2016 10:04 pm
Forum: RouterBOARD hardware
Topic: Need SFP for long link compatable with Mikrotik CCR
Replies: 2
Views: 736

Re: Need SFP for long link compatable with Mikrotik CCR

I've been using MRV modules for up to 90km stably on CCR for a couple years. They might have some 120s.
by coylh
Wed Jun 01, 2016 9:54 pm
Forum: General
Topic: non-contiguous netmask in firewall
Replies: 3
Views: 495

Re: non-contiguous netmask in firewall

I can't get a routerboard to accept non-contiguous (255.100.0.0 or 255.0.255.0). It's a bad idea anyway; your ip scheme will be crazy, just for acl convenience.
by coylh
Fri Mar 25, 2016 8:42 am
Forum: Announcements
Topic: Winbox3.4 released!
Replies: 54
Views: 18469

Re:

http://forum.mikrotik.com/viewtopic.php?f=2&t=105802 Was discussed already. Not a very satisfying discussion. From what I can see, there's no protection involved at all when downloading winbox.exe from the Mikrotik site. How many of these do you want to check? [ ] Unsigned executable [ ] Downloaded...
by coylh
Thu Mar 10, 2016 4:51 am
Forum: Announcements
Topic: Winbox3.2 released!
Replies: 59
Views: 10981

Re: Winbox3.2 released!

Where can I find the MD5 (or other) checksum for the Winbox3.2 download?
by coylh
Tue Mar 08, 2016 8:46 am
Forum: RouterBOARD hardware
Topic: Several 802.3af POE ports for CCTV and Mikrotik AP in the same equipment ?
Replies: 4
Views: 1063

Re: Several 802.3af POE ports for CCTV and Mikrotik AP in the same equipment ?

Not sure quite what you're looking for. The access points that I've seen really want all the power af can provide--there isn't much left over for a camera. If you just want a switch to provide power, there are many of those. But, not from Mikrotik.
by coylh
Wed Mar 02, 2016 4:35 am
Forum: General
Topic: PRTG sensors monitoring Mikrotik RB2011 interfaces
Replies: 3
Views: 3111

Re: PRTG sensors monitoring Mikrotik RB2011 interfaces

Using PRTG SNMP traffic counters is pretty straightforward for me. Just select which interfaces you're interested in.
prtg.PNG
by coylh
Mon Feb 29, 2016 5:54 am
Forum: Announcements
Topic: Winbox3.1 released!
Replies: 50
Views: 24972

Re: Winbox3.1 released!

What is the winbox3.1 checksum?
by coylh
Fri Feb 26, 2016 12:36 pm
Forum: RouterBOARD hardware
Topic: Work temperature for RB450G
Replies: 4
Views: 2197

Re: Work temperature for RB450G

      voltage: 11.3V
  temperature: 48C
by coylh
Fri Jan 15, 2016 2:33 am
Forum: Announcements
Topic: v6.33.5 [current] is released!
Replies: 120
Views: 33255

Re: v6.33.5 [current] is released!

Wildcards are not supported in certificate CN.
Is this a change from previous versions? I use a wildcard certificate for SSTP on 6.30.
by coylh
Thu Dec 31, 2015 12:41 am
Forum: General
Topic: Backdoor passwords in VPN/Firewalls
Replies: 3
Views: 1282

Backdoor passwords in VPN/Firewalls

https://threatpost.com/juniper-backdoor ... ic/115685/

It's a good reminder.

Speaking of security... Mikrotik could make some improvements to the web site and forum by turning on TLS. Unencrypted firmware and checksum downloads (not to mention forum logins) will eventually be abused.
by coylh
Thu Aug 27, 2015 8:16 am
Forum: General
Topic: SSTP does not work correctly
Replies: 2
Views: 483

Re: SSTP does not work correctly

You could try turning on logging for sstp and see what the log says.
by coylh
Wed Aug 26, 2015 1:42 am
Forum: General
Topic: Diagnosing performance/throughput issues
Replies: 3
Views: 660

Re: Diagnosing performance/throughput issues

Packet capture at different points and see if the traces tell you anything interesting. I'd start with what a client sees when talking to the Internet.
by coylh
Wed Aug 26, 2015 1:32 am
Forum: General
Topic: Configurable solution to automatically backup Mikrotik's routinely?
Replies: 2
Views: 955

Re: Configurable solution to automatically backup Mikrotik's routinely?

If you're willing to load each routerboard with a ssh key, you can use a simple batch script and puTTY on a Windows machine. Load the key into pagent and then run the script on occasion. @echo off SET PLINK=..\plink.exe SET PSCP=..\pscp.exe SET USER=admin SET CONFIGDIRECTORY="C:\mikrotik" FOR /f "de...
by coylh
Wed Aug 19, 2015 10:59 am
Forum: The Dude
Topic: Notification The Dude Speak 4.0
Replies: 3
Views: 2146

Re: Notification The Dude Speak 4.0

Que? :D
by coylh
Wed Aug 19, 2015 9:49 am
Forum: General
Topic: Looking for a network sniffer - please advise
Replies: 3
Views: 517

Re: Looking for a network sniffer - please advise

Would the two switch chips in 2011 or 493G work? I don't think I've tried running two mirrors.
by coylh
Mon Aug 17, 2015 1:26 am
Forum: General
Topic: L2TP IPsec VPN client with certificates
Replies: 2
Views: 3339

Re: L2TP IPsec VPN client with certificates

Check that the router's date/time is correct.
by coylh
Tue Aug 11, 2015 1:55 am
Forum: General
Topic: Port forwarding HTTPS traffic
Replies: 10
Views: 4617

Re: Port forwarding HTTPS traffic

It's better to mentally separate NAT and Security. NAT doesn't protect the router itself, so you'll want to add filtering regardless of how good NAT is at protecting your internal computers. You may also find that you don't use NAT when moving to IP6. And, for larger networks, you may want security ...
by coylh
Fri Aug 07, 2015 7:05 am
Forum: Beginner Basics
Topic: Point to Internal DNS server
Replies: 9
Views: 2063

Re: Point to Internal DNS server

What is the scenario where a loop happens? I'm using something similar, but without protection from the router's own lookups (by ip): /ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-port=53 in-interface=ether1-lan protocol=udp to-addresses=192.168.0.1 to-ports=53 add ac...