Community discussions

Search found 170 matches

by Devil
Wed Oct 26, 2016 6:30 am
Forum: General
Topic: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port
Replies: 7
Views: 1136

Re: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port

I would love a Mikrotik staff opinion on this if possible please. I was by the way able to develop a very hacky way to distinguish between https traffic passing through walled garden and https traffic being intercepted. I however abandoned that approach since it would cut off the connection at an aw...
by Devil
Fri Oct 14, 2016 5:50 pm
Forum: General
Topic: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port
Replies: 7
Views: 1136

Re: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port

Yes, i will try the DHCP method. certainly including it would be better than not to. That however, does not invalidate my initial feature request. the issue still stands and it might be years before we end up with a standard acceptable solution that could deal with all situations. Thank you for your...
by Devil
Fri Oct 14, 2016 5:32 pm
Forum: General
Topic: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port
Replies: 7
Views: 1136

Re: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port

I'm not sure why i didn't know about this until now but it seems there have been some attempts for a standard method: https://tools.ietf.org/html/rfc7710
It still however, doesn't seem to address situations in which the user might logout of captive portal at will and would need to re-login later on
by Devil
Fri Oct 14, 2016 4:17 pm
Forum: General
Topic: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port
Replies: 7
Views: 1136

Re: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port

@pe1chl As far as i know, there is no standard method for this. probably the best solution so far, comes from chrome/chromium ( https://docs.google.com/document/d/1k-gP2sswzYNvryu9NcgN7q5XrsMlUdlUdoW9WRaEmfM ). it is a good one, aside from the fact that it's been disabled in windows 8+. sure, newer ...
by Devil
Fri Oct 14, 2016 1:47 pm
Forum: General
Topic: Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port
Replies: 7
Views: 1136

Feature req: Disabeling hotspot port 443 interception without crippeling walled garden functionality on that port

Let's face it. Intercepting https requests to redirect users to the login page, is a bad idea. And as we move forward and more sites start using HSTS, it gets worse. it also undermines the seriousness of certificate error messages by the browsers as users could easily get used to that and click cont...
by Devil
Sat Jul 16, 2016 5:18 am
Forum: Scripting
Topic: How to convert a string to ip-prefix data type?
Replies: 3
Views: 1346

Re: How to convert a string to ip-prefix data type?

I finally had the time to try this myself. How the hell did you come up with that? this is genius. I'm not even entirely sure why it works. and furthermore, why only when the parse command is enclosed with an extra '[ ]' pair. You deserve a reputation point for this. unfortunately though, i don't se...
by Devil
Fri Jul 01, 2016 5:58 pm
Forum: Scripting
Topic: How to convert a string to ip-prefix data type?
Replies: 3
Views: 1346

Re: How to convert a string to ip-prefix data type?

That's a pretty clever solution. well done
by Devil
Wed Apr 20, 2016 10:37 am
Forum: General
Topic: Is OpenVPN implementation in Mikrotik insecure?
Replies: 2
Views: 676

Re: Is OpenVPN implementation in Mikrotik insecure?

^This when it comes to OpenVPN, Mikrotik falls behind pretty terribly. They put all their energy and effort on developing SSTP which frankly is nothing but re-inventing the wheel and they abandoned OpenVPN all together "In favor of SSTP". what they don't seem to understand, is that OpenVPN is the de...
by Devil
Mon Jan 25, 2016 10:19 am
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63583

Re: Feature request for v7.x

Ability to exclude some source/destination hosts/subnets from hotspot traffic counter.
And for the love of god, OVPN UDP support.
by Devil
Mon Jan 25, 2016 10:16 am
Forum: General
Topic: Feature Request: Hotspot HTTPS redirection problem!!!
Replies: 5
Views: 3362

Re: Feature Request: Hotspot HTTPS redirection problem!!!

HTTPS redirection already happens in mikrotik hotspot, however, because of the way certificates work, users will get a scary warning on their browser regarding of invalid certificate and they need to accept it before they get redirected to hotspot portal page. It is possible to completely block port...
by Devil
Fri Feb 13, 2015 7:54 am
Forum: Scripting
Topic: (solved) Little problem with "if" (ros 6.25)
Replies: 7
Views: 969

Re: Little problem with "if" (ros 6.25)

Thats because you forgot to use [ ] . try:
:if ([:pick $portname ( [:len $portname] - 2 )] = "1")
by Devil
Thu Feb 12, 2015 1:06 pm
Forum: Scripting
Topic: Remove Address List Entry by Comment
Replies: 3
Views: 2653

Re: Remove Address List Entry by Comment

Use another local variable other than 'comment' and see if it solves it. RouterOS script engine apparently runs into problem when you try to call a variable with the same name as some other part of the argument.
by Devil
Thu Feb 12, 2015 11:15 am
Forum: Scripting
Topic: (solved) Little problem with "if" (ros 6.25)
Replies: 7
Views: 969

Re: Little problem with "if" (ros 6.25)

:local portname "ether9";
:local portvlanID;
:if ([:len $portname] = 6)  \
   do={:set portvlanID "-e0$[:pick $portname 5 6]";} 
   else={:set portvlanID "-e$[:pick $portname 5 7]";}
by Devil
Thu Feb 12, 2015 7:49 am
Forum: Scripting
Topic: How to convert a string to ip-prefix data type?
Replies: 3
Views: 1346

How to convert a string to ip-prefix data type?

Lets create a dynamic address list entry first: /ip firewall address-list add list=test_list comment=test_comment dynamic=yes address=10.0.0.0/8 Now, any one has any idea why do i get false response when i issue: :put (10.0.0.1 in [/ip firewall address-list get [find comment=test_comment] address]) ...
by Devil
Wed Sep 17, 2014 6:46 am
Forum: Wireless Networking
Topic: How to Bypass Hotspot Usage Counters for Specific Subnets
Replies: 17
Views: 11457

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

is this still valid?
ROS 6.19 -
Unfortunately, after years of asking the support, they still doesn't seem to be interested in adding this important feature. even though they know very well that a lot of their users are asking for it.
by Devil
Tue Jan 07, 2014 10:53 am
Forum: General
Topic: Strange IPsec issues while setting up L2TP/IPsec (v5.26)
Replies: 0
Views: 541

Strange IPsec issues while setting up L2TP/IPsec (v5.26)

Hi, I'm fairly new to IPsec and i do know that v6 adds extra functionalities to it. But at this point, I'm not ready to upgrade. and also i should be able to easily set up L2TP/IPsec in v5 as well. So first I'm just gonna explain a bit about the setup and then the issues that I'm having and at the e...
by Devil
Sun Jul 21, 2013 1:32 pm
Forum: General
Topic: PHP md5() for login page
Replies: 10
Views: 4135

Re: PHP md5() for login page

Did you read the link i provided in my post in "Edit:" part? that link contains a php code example.
To be more precise, when you save those octave numbers in a variable, they end up as a string. extra step is needed to convert them before generating md5.
by Devil
Mon Mar 25, 2013 9:34 am
Forum: General
Topic: global-total in HTB, does not work as expected?
Replies: 1
Views: 488

Re: global-total in HTB, does not work as expected?

I'll give this one more day and then will contact the support.
by Devil
Sat Mar 23, 2013 7:26 pm
Forum: General
Topic: Web server from internal clients
Replies: 1
Views: 399

Re: Web server from internal clients

what do you mean 'router login page'? are you running hotspot on your router? if yes, have you tried adding the address of the web server to the Walled Garden?
by Devil
Sat Mar 23, 2013 7:13 pm
Forum: General
Topic: Firewall connections - limit?
Replies: 1
Views: 475

Re: Firewall connections - limit?

I think it might be a limitation on maximum array size in mikrotik. If it's really the case, this is an undocumented limitation. Would love to hear from the support about this.
by Devil
Sat Mar 23, 2013 4:27 pm
Forum: General
Topic: DNS failure on ais.channel4.com
Replies: 2
Views: 708

Re: DNS failure on ais.channel4.com

Open terminal and issue the following command: /ip dns set max-udp-packet-size=4096 See if you can resolve that domain then. If it didn't work, upgrade RouterOS to the latest stable version (v5.24 at the time of writing) . There had been some issues with DNS resolving that's been fixed. If you still...
by Devil
Fri Mar 22, 2013 3:00 pm
Forum: General
Topic: Hotspot redirect does not work when initiating a "HTTPS" URL
Replies: 7
Views: 5317

Re: Hotspot redirect does not work when initiating a "HTTPS"

I wonder why none of you guys mentioned https authentication type in '/ip hotspot profile' . by activating that, hotspot should automatically redirect unauthenticated users trying to access https on port 443, to the login page. however, almost all browsers will warn the users about the potential MIT...
by Devil
Fri Mar 22, 2013 1:45 pm
Forum: General
Topic: What is the size of 'Only hardware queue'?
Replies: 1
Views: 820

Re: What is the size of 'Only hardware queue'?

From Here : only-hardware-queue leaves interface with only hw transmit descriptor ring buffer which acts as a queue in itself. Usually at least 100 packets can be queued for transmit in transmit descriptor ring buffer. Transmit descriptor ring buffer size and the amount of packets that can be queued...
by Devil
Fri Mar 22, 2013 1:01 pm
Forum: General
Topic: global-total in HTB, does not work as expected?
Replies: 1
Views: 488

global-total in HTB, does not work as expected?

Hey everyone To this day, I only needed to use global-out interface for my QOS managing. However, there's a special case that it requires to make use of global-total as well. It's my understanding that a queue with global-total set as its parent, would attach to both global-in and global-out interfa...
by Devil
Wed Nov 07, 2012 12:51 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

logic of reply processing was changed. So, replies are processed in another way now.
Ah, ok. thanks for the info. and of course for fixing this bug :)
by Devil
Tue Nov 06, 2012 12:48 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

I did a last minute test before upgrading from v5.18 to ensure that i can still reproduce the bug, and i could. however, after upgrading to v5.21 and hours of trying, i was not able to reproduce this anymore. i've also set my i7 filter rule to log any empty dns response packet. but after about a day...
by Devil
Mon Nov 05, 2012 2:10 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

Ah, for some reason i did not get an email about any new post in this topic since my last post. and also, ever since i implemented my workaround, i completely forgot about this issue. @mikrotik support: I'm very sorry that i kept you hanging like this. i will test the latest routeros version (5.21) ...
by Devil
Mon Aug 20, 2012 9:50 am
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

@ankostis I don't know about linux but in windows, this is indeed not a normal behavior and second dns will only be used if the first one has failed. that being said, i believe this is a different story. it's a good thing to specify a backup dns server but in your case, you should supply that via dh...
by Devil
Wed Jul 25, 2012 11:06 am
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

We will very appreciate, if anybody can post step by step instructions, that 100% of time (at least 50% is fine) can produce the issue, post your /ip dns settings. Thank you very much for the cooperation. I think it got more to do with different links, dns forwarders and/or latencies. If you are in...
by Devil
Fri Jul 13, 2012 3:21 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

Alright, so as it turned out switching DNS server, caused me some very hard to find problems. so i decided to switch back to mikrotik dns once more but this time with a new approach. if you still want to use mikrotik dns, and specially if you are using dhcp to hand out dns settings, read on: I was a...
by Devil
Tue Jul 10, 2012 9:53 am
Forum: General
Topic: Hotspot User profile On Login: script tab variable
Replies: 11
Views: 5129

Re: Hotspot User profile On Login: script tab variable

Glad i could help :)
by Devil
Sun Jul 08, 2012 2:20 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

Alright, im sorry for the late reply. i really thought i could spend more time on this issue. but seems its not going to happen any time soon. so im just going to share my findings, hoping it could be enough to identify the problem. all the domain names that ive reported, have something in common: t...
by Devil
Tue Jun 26, 2012 2:05 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

No 'changeip', that is not the case. As i'm using another dns server running on the same link, pointing to opendns without any problem. I have actually found some new stuff regarding this bug. I'm now able to predict when its going to happen with high probability. but i need more time to find the ex...
by Devil
Mon Jun 25, 2012 7:51 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

Nope. i just flushed the cache and when the cache-used was as low as 15KiB , it happened again. it's quite clear that some specific setups trigger this bug as some people actually don't have this problem and even mikrotik couldn't reproduce it. i'm trying to change things one by one to see whether i...
by Devil
Mon Jun 25, 2012 7:30 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

I just enabled allow-remote-requests, even disabled static dns rules but still getting the same result. this might not do much, but attached is a wireshark capture file, with 3 dns requests and their responses. the first two failed while the third one was successful
by Devil
Mon Jun 25, 2012 5:04 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

Well, that means it probably depends on something else too. some other settings maybe, that triggers the bug. this is the export you requested: # jun/25/2012 15:28:33 by RouterOS 5.18 # software id = xxxx-xxxx # /ip dns set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \ max-udp-packe...
by Devil
Sat Jun 23, 2012 4:03 pm
Forum: Beginner Basics
Topic: Regexp for L7 protocols
Replies: 3
Views: 948

Re: Regexp for L7 protocols

Thats because its \x47\x45\x54
by Devil
Sat Jun 23, 2012 1:10 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

Alright, i have a bad news and a good news. the bad news is that i can confirm now that the problem still exists in v5.18 . the good news however is that i was able to come up with a batch script to reproduce this problem within minutes. because of that, i was also able to capture the problematic pa...
by Devil
Fri Jun 22, 2012 12:02 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

Hi normis. alright, ill try v5.18. I'm using v5.17 at the moment by the way. two different routers and they're both suffering the same thing. sine i purely rely on my clients feedback, and since this issue seems quite random and could not be easily reproduced, it might take a while to see whether it...
by Devil
Fri Jun 22, 2012 11:41 am
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45036

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

For us the problem is serious as we use MK dns cache widely in all our routers. The random resolve issues occurs since 5.x update and is still present in newest 5.17 one. ... When the problem occurs nslookup doesn't resolve the domain. Flushing the local dns cache of host after the problem occurs h...
by Devil
Mon Jun 18, 2012 3:20 pm
Forum: Beginner Basics
Topic: questions about mikrotik hotspot
Replies: 5
Views: 1052

Re: questions about mikrotik hotspot

No. The right solution for this is using RADIUS server instead to handle users credential.
by Devil
Mon Jun 18, 2012 3:14 pm
Forum: Beginner Basics
Topic: Proxy from ISP
Replies: 4
Views: 1663

Re: Proxy from ISP

Alright, my bad. looking at it again, this method still works but only for http requests. meaning anything else beyond that (like https), would fail. Although i think transparent proxy for https could have probably worked by looking at the SNI field, this is not the case for mikrotik web proxy at th...
by Devil
Thu Jun 14, 2012 1:13 pm
Forum: General
Topic: Hotspot User profile On Login: script tab variable
Replies: 11
Views: 5129

Re: Hotspot User profile On Login: script tab variable

No. it should run for each user. make sure all the users are using the same profile that you set On-Login on. maybe there's something wrong in your script. if you are sure you're doing everything right, contact the support.
by Devil
Thu Jun 14, 2012 10:09 am
Forum: Scripting
Topic: need help
Replies: 4
Views: 3339

Re: need help

This wiki explains the basic setup you need to make it work
by Devil
Thu Jun 14, 2012 9:52 am
Forum: General
Topic: WEP-PROXY SETTINGS [IMPORTANT]
Replies: 11
Views: 2214

Re: WEP-PROXY SETTINGS [IMPORTANT]

This is the idea: http://wiki.mikrotik.com/wiki/Queue_wit ... _Web-Proxy
When you get how this works, you could apply it to any situation.
by Devil
Wed Jun 13, 2012 4:44 pm
Forum: General
Topic: Limiting access for Hotspot users
Replies: 3
Views: 2501

Re: Limiting access for Hotspot users

What's your setup? I assume its ADSL -> Mikrotik -> LAN(Switch) -> Users in this setup, Mikrotik router is unable to block the users to access to the LAN, as the users don't talk to the router for that matter. they could be blocked to talk to each other only if the switch could be configured to do s...
by Devil
Wed Jun 13, 2012 4:22 pm
Forum: General
Topic: Tiny PPPoE Server Question
Replies: 2
Views: 583

Re: Tiny PPPoE Server Question

PPP -> PPPoE Servers section is for setting up PPPoE servers, as it implies. that's usually enough. but there are time that you want to create some rules (firewall rules for example), and make them apply to a user connecting through PPPoE. that's when you can create a PPPoE server interface, add the...
by Devil
Wed Jun 13, 2012 2:21 pm
Forum: Beginner Basics
Topic: Web proxy
Replies: 9
Views: 1243

Re: Web proxy

Alright, i did a bit of research on how Orkut communicates with its server. to block that profile, you need to block a POST request being sent to http://www.orkut.com/gwt/Multiplexer , with specific data in it. i don't think web proxy could do that. your best chance is probably L7 (or maybe 'Content...
by Devil
Wed Jun 13, 2012 11:55 am
Forum: Beginner Basics
Topic: Web proxy
Replies: 9
Views: 1243

Re: Web proxy

Ok. i did a bit testing with Web debugger tools. this does seem to be very special. ill do more study on this matter when i got time. thanks for pointing it out :)
by Devil
Wed Jun 13, 2012 11:38 am
Forum: Beginner Basics
Topic: Web proxy
Replies: 9
Views: 1243

Re: Web proxy

Alright, fair enough. Hash-Bang URLs are quite special. but that doesn't make up for the fact that routeros webproxy ignores everything after the hash all together. we are not talking about caching those pages and the challenges to do so, we're talking about a simple access rule not working because ...
by Devil
Wed Jun 13, 2012 11:17 am
Forum: Beginner Basics
Topic: Web proxy
Replies: 9
Views: 1243

Re: Web proxy

does it work if you use wildcard for the path?

# DST-PORT DST-HOST PATH METHOD ACTION HITS
1 *orkut.co.in *uid=6767284876016221058 deny
No it doesn't. anything after '#', is being ignored
by Devil
Wed Jun 13, 2012 10:57 am
Forum: Beginner Basics
Topic: Web proxy
Replies: 9
Views: 1243

Re: Web proxy

I couldn't make this work either. the problem appears to be the '#' character. unless i'm missing something, it looks like a bug
by Devil
Wed Jun 13, 2012 10:11 am
Forum: Beginner Basics
Topic: questions about mikrotik hotspot
Replies: 5
Views: 1052

Re: questions about mikrotik hotspot

if I set up a hotspot with bandwith limitation defined in hotspot user profiles and then create a user and allow lets say 30 instances of that user to run simultaneously will the limit be used for each instance of this user seperately or will it be a combined bandwith from all of that user instance...
by Devil
Wed Jun 13, 2012 9:42 am
Forum: Beginner Basics
Topic: Wake on Lan
Replies: 5
Views: 2363

Re: Wake on Lan

:delay 30; :local oldcount 0; :local newcount; :while (true) do={ :set newcount [/ip firewall nat get [find comment="MY_VNC"] packets]; :if ($oldcount != $newcount) do={ /tool wol interface=ether2-local mac=00000000000; :set oldcount $newcount; } :delay 60; } create a schedule task for it and set i...
by Devil
Tue Jun 12, 2012 3:33 pm
Forum: General
Topic: Block trace of own interface ip
Replies: 5
Views: 2228

Re: Block trace of own interface ip

yeah you are right in some sense. it might break fragment responses coming from the internet. but then again its kind of common practice nowadays. and not too many people who block icmp report side effects. it's also the default setting on a lot of routers. as long as DF flag is not set on a packet,...
by Devil
Tue Jun 12, 2012 12:04 pm
Forum: Beginner Basics
Topic: Wake on Lan
Replies: 5
Views: 2363

Re: Wake on Lan

well, i think scripting is your only solution. you could create a script and schedule it to run every minute or so to check whether the counter of your dstnat rule went up or not and then send the wol command.
by Devil
Tue Jun 12, 2012 11:46 am
Forum: General
Topic: Port Forward Limits
Replies: 2
Views: 455

Re: Port Forward Limits

70 dstnat rule is nothing. you should be fine
by Devil
Tue Jun 12, 2012 11:25 am
Forum: General
Topic: ADSL pppoe MTU setting
Replies: 2
Views: 2556

Re: ADSL pppoe MTU setting

There is nothing wrong with any of those replies. your maximum mtu indeed appears to be 1480. '(corrupted)' means the router did get the reply but the content of the packet was not the same as it was in the ping. some servers (like google for example), limit the reply bytes. in windows you see that ...
by Devil
Tue Jun 12, 2012 9:32 am
Forum: General
Topic: HotSpot redirect DNS based on address-list
Replies: 7
Views: 4176

Re: HotSpot redirect DNS based on address-list

Ah, yes. transparent proxy might actually end up messing with your settings, as the router handles the http requests. and since you've added opendns ip's in /ip dns , the router resolves the hosts through opendns. good catch :)
by Devil
Mon Jun 11, 2012 8:21 pm
Forum: General
Topic: HotSpot redirect DNS based on address-list
Replies: 7
Views: 4176

Re: HotSpot redirect DNS based on address-list

I just tested them. they are working. maybe your web proxy cache is caching the pages, tricking you into thinking the dns is still resolving through opendns. the best way to see whether you're using opendns or not, is to try using nslookup with a non-existent domain. a normal dns server( like 8.8.8....
by Devil
Mon Jun 11, 2012 7:11 pm
Forum: General
Topic: Winboxing by mac address
Replies: 4
Views: 714

Re: Winboxing by mac address

I can't think of any way. this is layer 2 access. firewall mostly operates on layer 3. you can however password protect your router so the right password will be required even for accessing through mac server. also, mac access should not be required when you have ip access to the router. you may wan...
by Devil
Mon Jun 11, 2012 4:30 pm
Forum: General
Topic: Help on accessing rb450g from internet
Replies: 5
Views: 1184

Re: Help on accessing rb450g from internet

It might be your isp. some isps block access to certain ports. usually vulnerable ports known to be used by viruses or attackers. blocking port 80 is a quite bold move though. you could contact them and ask them about it.
by Devil
Sun Jun 10, 2012 11:45 am
Forum: Beginner Basics
Topic: DNS redirect
Replies: 8
Views: 2812

Re: DNS redirect

I need a more technical answer. I understand how dst Nat works. I don't understand the traffic flow at all, port forward redirects to another server on an in coming request This rules seems to do the same. I'm sorry I need. A better answer You just answered your own question. you need to take a loo...
by Devil
Sun Jun 10, 2012 11:27 am
Forum: General
Topic: Winboxing by mac address
Replies: 4
Views: 714

Re: Winboxing by mac address

/tool mac-server mac-winbox disable [find]
You might also want to disable mac-telnet
/tool mac-server disable [find]
For more information, take a look at wiki: http://wiki.mikrotik.com/wiki/MAC_access
by Devil
Sun Jun 10, 2012 10:31 am
Forum: General
Topic: 711G-5HnD port Flapping up and down when static
Replies: 2
Views: 540

Re: 711G-5HnD port Flapping up and down when static

Try disabling Auto negotiation on both ends not just on 450G, also the speed and duplex should be the same on both ends. see if that makes any difference
by Devil
Sun Jun 10, 2012 10:20 am
Forum: General
Topic: Limiting Access on LAN RB433AH
Replies: 1
Views: 338

Re: Limiting Access on LAN RB433AH

It really depends on how many users we're talking about. if they are not a lot, you could consider adding firewall rules for each of them. you could set the src-mac-address for each rule. If you're dealing with a lot of users, see if this approach helps: http://forum.mikrotik.com/viewtopic.php?f=2&t...
by Devil
Sun Jun 10, 2012 9:33 am
Forum: General
Topic: How can i verify ros before reboot?
Replies: 12
Views: 2363

Re: How can i verify ros before reboot?

It's probably more than just some hash verification. a lot of firmwares are signed with the manufactures master code. and unless the device could verify the signature, it wouldn't do the upgrade. i wouldn't be surprised if that was the case with mikroik firmwares as well. that being said, being able...
by Devil
Sat Jun 09, 2012 10:48 am
Forum: The User Manager
Topic: can I have a user with 2 hour internet for every day
Replies: 4
Views: 1776

Re: can I have a user with 2 hour internet for every day

Hi
Can I do this reset for one user profile ???
for resetting counters for users with default profile for example, use it like this:
/ip hotspot user reset-counters [find profile=default]
by Devil
Sat Jun 09, 2012 10:30 am
Forum: General
Topic: Feature Request: Bypass Hotspot
Replies: 5
Views: 2046

Re: Feature Request: Bypass Hotspot

yep. been suggested couple of times. we need this
by Devil
Sat Jun 09, 2012 10:26 am
Forum: Scripting
Topic: block incoming ports above 11000
Replies: 1
Views: 1404

Re: block incoming ports above 11000

/ip firewall filter add chain=input protocol=tcp dst-port=1100-65535 action=drop
by Devil
Sat Jun 09, 2012 10:08 am
Forum: General
Topic: HotSpot redirect DNS based on address-list
Replies: 7
Views: 4176

Re: HotSpot redirect DNS based on address-list

it doesn't matter that you set the dns option in your dhcp to use opendns, even if you set it to something invalid, it would still work. the reason for that is that hotspot, redirects all the dns requests to the routeros internal dns server (specially running at port 64872 for hotspot). so if your h...
by Devil
Fri Jun 08, 2012 2:18 pm
Forum: General
Topic: Help on accessing rb450g from internet
Replies: 5
Views: 1184

Re: Help on accessing rb450g from internet

it depends on your firewall filtering. is port 80 open for all interfaces or only for your local interface? you could make sure that its open for all by putting the following rule at the top of your firewall filter input chain: /ip firewall filter add chain=input protocol=tcp dst-port=80 action=acce...
by Devil
Fri Jun 08, 2012 2:05 pm
Forum: General
Topic: Ping on log event?
Replies: 1
Views: 459

Re: Ping on log event?

you could create a script to check for new log entries every minutes or so. and issue the ping command if it matches any 'warning' or 'radius' log.
by Devil
Fri Jun 08, 2012 1:51 pm
Forum: Beginner Basics
Topic: questions about mikrotik hotspot
Replies: 5
Views: 1052

Re: questions about mikrotik hotspot

Example if I have Anynomous User which is NOT LOGIN at ether2, will it be able to connect to Anynomous User which is NOT LOGIN at ether3? not by default. unless you add exceptions for them in Walled Garden(IP). If in the situation: client1 logged in at ether2 with 1mbps rate client2 logged in at et...
by Devil
Fri Jun 08, 2012 12:47 pm
Forum: Scripting
Topic: mikrotik on x86
Replies: 26
Views: 4212

Re: mikrotik on x86

do you have any ideas about the "Cisco 837-K9-64 ADSL Router 64MB Cisco837 K9" if it can be a good ADSL modem, or any other one to propose to me. unfortunately, i do not work with adsl modems a lot. so i can't recommend any. see if that new modem solves your problem, but just remember, there is a q...
by Devil
Fri Jun 08, 2012 10:43 am
Forum: Scripting
Topic: mikrotik on x86
Replies: 26
Views: 4212

Re: mikrotik on x86

Alright, so i think at this point, its safe to say its either your adsl modem or your isp. the latter seems more likely. unfortunately, because of your setup, you have to diagnose the problem in your adsl modem now. cause that's the point where things go wrong. have you set any static route in your ...
by Devil
Thu Jun 07, 2012 3:20 pm
Forum: Scripting
Topic: Need Help, to get IP adddress from simple queue and...
Replies: 6
Views: 1712

Re: Need Help, to get IP adddress from simple queue and...

Alright, i rewrote the whole thing for you. it now supports any possible type of targe-address: ( single address, multiple addresses, and subnets). lets just say it was tricky :local lenip; :foreach i in=[/queue simple find comment="384k"] do={ :foreach ip in=[/queue simple get value-name=target-add...
by Devil
Thu Jun 07, 2012 1:25 pm
Forum: General
Topic: Tunnel over TCP - possible ?
Replies: 6
Views: 2379

Re: Tunnel over TCP - possible ?

EoIP is based on IP protocol (Ethernet over IP) and GRE, GRE is also a tunnel over IP, so no UDP. I find it hard to believe that there are tunnels over UDP, because of the nature of UDP itself, but I am no expert in tunnels. Anyway, best way is to give it a try. Actually UDP tunneling exist and are...
by Devil
Thu Jun 07, 2012 12:48 pm
Forum: Scripting
Topic: mikrotik on x86
Replies: 26
Views: 4212

Re: mikrotik on x86

Alright, thanks for including both tracert results for when the connection is ok and when its not. i'm going to guess 192.168.1.1, is your routeros ip address and anything after that point, is your isp. including 10.70.70.1 and 195.24.213.129. if my assumptions are wrong, please correct me. As you c...
by Devil
Wed Jun 06, 2012 5:02 pm
Forum: Scripting
Topic: mikrotik on x86
Replies: 26
Views: 4212

Re: mikrotik on x86

next time it happened, use tracert command in windows. for google.com , facebook.com and 195.24.213.129: tracert google.com tracert facebook.com tracert 195.24.213.129 run each command couple of times and post the result. you can only include part of the ip addresses in the result (like 192.168.xxx....
by Devil
Wed Jun 06, 2012 3:42 pm
Forum: Scripting
Topic: mikrotik on x86
Replies: 26
Views: 4212

Re: mikrotik on x86

it could be caused by some firewall rules, but not the default ones. you had to create some very specific rules that could result in such behavior. it also could be your adsl modem, your switch, your cable, your isp,... which is why its important to narrow it down. i suggest to connect your adsl mod...
by Devil
Wed Jun 06, 2012 12:41 pm
Forum: General
Topic: Tunnel over TCP - possible ?
Replies: 6
Views: 2379

Re: Tunnel over TCP - possible ?

The reason I'm looking for this is that I don't want UDP traffic to get lost over a wireless connection due to interference - if I could have a TCP tunnel I would hope that no traffic *inside* the tunnel would get lost. Though that would defeat the whole purpose of udp, you should be right. i guess...
by Devil
Wed Jun 06, 2012 12:00 pm
Forum: General
Topic: How can i verify ros before reboot?
Replies: 12
Views: 2363

Re: How can i verify ros before reboot?

Yes, i know, but what if md5sum is wrong? I reboot router and then? Can i verify before reboot? Edit: When i upload npk package to the router, how a i can verify that package is ok and md5sum is correct? (before reboot via terminal or winbox) Thanks L. As i understand, your concern is the router be...
by Devil
Wed Jun 06, 2012 11:23 am
Forum: Scripting
Topic: Need Help, to get IP adddress from simple queue and...
Replies: 6
Views: 1712

Re: Need Help, to get IP adddress from simple queue and...

I don't know when is the problem.. That script is a bit different from the script 'machack' provided. but anyway, since at least you mentioned where you experience the problem, i'm able to help. the trick is to check whether the address list is already added and and only if not, add the new entry: ...
by Devil
Tue Jun 05, 2012 9:54 am
Forum: General
Topic: Excessive RAM Usage
Replies: 8
Views: 6138

Re: Excessive RAM Usage

make a Supout.rif file after the memory usage goes up high enough, email the support and attach the file
by Devil
Mon Jun 04, 2012 7:18 pm
Forum: Scripting
Topic: mikrotik on x86
Replies: 26
Views: 4212

Re: mikrotik on x86

You might wanna contact the support then. This is not a normal behavior at all.
by Devil
Mon Jun 04, 2012 2:42 pm
Forum: Scripting
Topic: mikrotik on x86
Replies: 26
Views: 4212

Re: mikrotik on x86

does this happen only when you're downloading? do you have any queue in place? also, are those reply times always that high? or only when you're downloading?
by Devil
Mon Jun 04, 2012 2:18 pm
Forum: Scripting
Topic: Need Help, to get IP adddress from simple queue and...
Replies: 6
Views: 1712

Re: Need Help, to get IP adddress from simple queue and...

currently i don't have access to a mikrotik device. but if you say where exactly on this code, you experience the problem, i might be able to help.
by Devil
Mon Jun 04, 2012 2:04 pm
Forum: General
Topic: Securing web proxy
Replies: 1
Views: 504

Re: Securing web proxy

Are you saying you want to avoid your web proxy being used by out side world? Assuming that's whats your asking, I have to say, I'm concern that why is it already possible in your router? you should block all unnecessary input packets. and only allow those that you need, not the other way around. An...
by Devil
Sun Jun 03, 2012 4:27 pm
Forum: Beginner Basics
Topic: First time using Mikrotik needing some help please
Replies: 6
Views: 1266

Re: First time using Mikrotik needing some help please

I have never setup a dhcp relay but it appears that dhcp server, should support dhcp relay functionality. or maybe i'm wrong and all of dhcp servers support them.
please post
/ip address print detail
/ip dhcp-client print detail
/ip dhcp-relay print detail
of your router
by Devil
Sun Jun 03, 2012 1:40 pm
Forum: Scripting
Topic: Script to check whether a destination port is open
Replies: 3
Views: 6202

Re: Script to check whether a destination port is open

Someone might have a better idea, but you could probably use fetch tool to test whether you could access to a website through a proxy or not, this is an example: /tool fetch address=187.115.172.82 port=8181 host=www.mikrotik.com src-path=/resources.html mode=http the address/port specified, is an ac...
by Devil
Sun Jun 03, 2012 12:09 pm
Forum: Beginner Basics
Topic: Proxy from ISP
Replies: 4
Views: 1663

Re: Proxy from ISP

I suggest using '/ip proxy' for that matter: /ip proxy set parent-proxy=213.42.21.101 /ip proxy set parent-proxy-port=8088 /ip proxy set port=8090 /ip proxy set enabled=yes And then create a dstnat rule to forward all the tcp connections to the webproxy: (Just to make sure you won't break your conne...
by Devil
Sun Jun 03, 2012 11:39 am
Forum: General
Topic: Block trace of own interface ip
Replies: 5
Views: 2228

Re: Block trace of own interface ip

/ip firewall filter add chain=input protocol=icmp action=drop
Place it at the top of input chain
by Devil
Sun Jun 03, 2012 11:24 am
Forum: General
Topic: Redirect specific port to socks proxy?
Replies: 1
Views: 5545

Re: Redirect specific port to socks proxy?

SOCKS proxy is not like HTTP proxy. a special handshake is needed to establish a connection to SOCKS proxy. by simply forwarding the port to SOCKS proxy, the client has no way of knowing its a SOCKS proxy and that it should use that special handshake. if you can set your program to act as a HTTP pro...
by Devil
Sun Jun 03, 2012 10:53 am
Forum: Beginner Basics
Topic: Pass-through DNS but limit other UDP session...
Replies: 1
Views: 528

Re: Pass-through DNS but limit other UDP session...

Assuming that all of those rules are in forward chain, create the same rules that you've created for tcp, and set them to limit the udp. and then put this rule on top of them: /ip firewall filter add chain=forward protocol=udp dst-port=53 action=accept that way, dns requests will be accepted by the ...
by Devil
Sat Jun 02, 2012 5:21 pm
Forum: General
Topic: redirect traffic (DNS) via L7?
Replies: 4
Views: 1020

Re: redirect traffic (DNS) via L7?

There is absolutely no need to use L7 for forwarding dns requests. it might be possible, but unnecessary. a simple dstnat on udp port 53, would do the trick. if you post your config, someone might be able to spot the problem that why you couldn't make it work.
by Devil
Sat Jun 02, 2012 5:15 pm
Forum: General
Topic: Feature Request: MTR
Replies: 72
Views: 25129

Re: Feature Request: MTR

Yes, that would be helpful
by Devil
Sat Jun 02, 2012 5:12 pm
Forum: General
Topic: 80GB hdd full
Replies: 2
Views: 511

Re: 80GB hdd full

If you are also using webproxy, take a look at ip -> proxy -> status and see the 'Cached Used' value
by Devil
Sat Jun 02, 2012 4:58 pm
Forum: Beginner Basics
Topic: Web proxy cache
Replies: 2
Views: 1498

Re: Web proxy cache

See if something like this works: /ip proxy cache add path=*.jpg action=allow /ip proxy cache add path=*.jpeg action=allow /ip proxy cache add path=*.png action=allow /ip proxy cache add path=*.gif action=allow /ip proxy cache add path=*.tif action=allow /ip proxy cache add path=*.tiff action=allow ...
by Devil
Sun May 27, 2012 4:15 pm
Forum: General
Topic: How can I move Mikrotik Router OS setting from one board to
Replies: 8
Views: 1188

Re: How can I move Mikrotik Router OS setting from one board

I believe
/import filename=xxx
will do.
by Devil
Sat May 26, 2012 4:57 pm
Forum: Beginner Basics
Topic: Replace PPPoE WAN with Dynamic IP WAN
Replies: 7
Views: 2504

Re: Replace PPPoE WAN with Dynamic IP WAN

You said somewhere that you were able to ping but you could not browse, and it would fail immediately. that's usually the case when you have dns resolving problem. open cmd.exe in windows and type nslookup . see if you can resolve any domain. for example google.com . if it failed but you can still p...
by Devil
Sat May 26, 2012 3:58 pm
Forum: Scripting
Topic: how to online user kick script
Replies: 3
Views: 2144

Re: how to online user kick script

'find' command, is not available in api. use queries and proplist instead.
for more information, take a look at wiki:

http://wiki.mikrotik.com/wiki/Manual:API
http://wiki.mikrotik.com/wiki/API_command_notes
by Devil
Sat May 26, 2012 3:33 pm
Forum: General
Topic: limiting connections
Replies: 1
Views: 386

Re: limiting connections

Yes. with that configuration, only those tcp connections that their input or output interfaces are not backbone1 or backbone2, will reach rule number 6.
This will work assuming your pppoe users, are not connecting to the internet through backbone links.
by Devil
Sat May 26, 2012 3:16 pm
Forum: General
Topic: RB450G some (one) sites not working
Replies: 1
Views: 354

Re: RB450G some (one) sites not working

I would first make sure the problem is really related to your mikrotik router. don't just take your isp word for it. test it yourself. plug-in the cable directly to a pc and see whether you can ping the host in question.
by Devil
Sat May 26, 2012 3:06 pm
Forum: Beginner Basics
Topic: Allow second LAN IP range through Web Proxy
Replies: 1
Views: 768

Re: Allow second LAN IP range through Web Proxy

Have you tried creating a web proxy access rule with source address of 192.168.50.0/24 , set it to allow and move it to the top?
by Devil
Wed May 16, 2012 4:55 pm
Forum: General
Topic: RouterOS sends RST bit for no apparent reason
Replies: 5
Views: 2163

Re: RouterOS sends RST bit for no apparent reason

Well that's a shame. i was looking forward to see what the problem was. and i believe with just a little time, we could have found it. the chance of it being a bug is quite unlikely, it most likely was the result of some misconfiguration.
by Devil
Wed May 16, 2012 2:35 pm
Forum: Scripting
Topic: script working well with /24 subnet but not with /16
Replies: 6
Views: 1482

Re: script working well with /24 subnet but not with /16

The heart of Megis QOS solution, is PCQ. you should use PCQ to reduce those mangle rules. you should do w/e it takes to always keep the firewall rules (and other rules as well), to the minimum. or you're going to face some serious resource problems in the future.
by Devil
Sun May 13, 2012 3:03 pm
Forum: General
Topic: My set of Feature Requests
Replies: 14
Views: 2492

Re: My set of Feature Requests

7- Ability to add other ips instead of only gateway to check for accessability in routing table ( to clarify, there are lots of times when a gateway is reachable even when the connection is down. for example an adsl modem acting as a gateway, always has its internal ip available. but if check_gatew...
by Devil
Thu May 10, 2012 12:58 pm
Forum: General
Topic: Won't pass traffic over 1468 bytes
Replies: 10
Views: 41725

Re: Won't pass traffic over 1468 bytes

The part that I don't understand, is I've set the MTU to 1600 on every device along the way, but that didn't help - shouldn't that make up for the 4 bytes from the VLAN being added? NathanA clearly knows more than me on this subject. specially vlans. so im not gonna comment on those. but regarding ...
by Devil
Wed May 09, 2012 4:46 pm
Forum: General
Topic: Hotspot User profile On Login: script tab variable
Replies: 11
Views: 5129

Re: Hotspot User profile On Login: script tab variable

Sure. however, that $user variable, seems to be quite delicate . sometimes you have to put its value to another variable to make things work. look at my script, that how i created "hotpot_user". putting $user there directly, simply didn't work. I'm not quite sure why. but at least there's a workarou...
by Devil
Wed May 09, 2012 4:28 pm
Forum: General
Topic: Hotspot User profile On Login: script tab variable
Replies: 11
Views: 5129

Re: Hotspot User profile On Login: script tab variable

I tried the following (executing them from command line does not work I accept the reason for that is $user is only defined during the on-login process). You got it all wrong. you can only use $user in on-login and on-logout section. not from command line and not from another script. open you winbo...
by Devil
Wed May 09, 2012 3:46 pm
Forum: General
Topic: Hotspot User profile On Login: script tab variable
Replies: 11
Views: 5129

Re: Hotspot User profile On Login: script tab variable

My question is there also a way to logging the user's MAC as well in this script? try this: :local "hotspot_user" $user; :log info "User $user with mac-address of $[/ip hotspot active get [find user=$"hotspot_user"] mac-address] logged in!" none of the above work they all error on the $user variabl...
by Devil
Wed May 09, 2012 2:19 pm
Forum: General
Topic: reset error counter ethernet
Replies: 1
Views: 442

Re: reset error counter ethernet

I can't also make it work in v5.14. even the winbox button for resetting the counter doesn't work. unless i'm missing something, seems to me like a bug.
by Devil
Wed May 09, 2012 11:36 am
Forum: General
Topic: Won't pass traffic over 1468 bytes
Replies: 10
Views: 41725

Re: Won't pass traffic over 1468 bytes

see if you can make any difference by changing the MSS. /ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1400 new-mss=1400 these kinda problems could get quite complicated and sometimes its very hard to diagnose them without sitting on the network. hope s...
by Devil
Wed May 09, 2012 10:11 am
Forum: General
Topic: Router OS versions (example x.5 & x.15 &x.05)
Replies: 27
Views: 10257

Re: Router OS versions (example x.5 & x.15 &x.05)

we had a massive amount of requests to switch to new style, because old style was considered confusing. I guess each thing is confusing to somebody
ok! Although I'm not sure why it was considered confusing, but better stick with the new style if that's the case.
by Devil
Wed May 09, 2012 9:30 am
Forum: General
Topic: Router OS versions (example x.5 & x.15 &x.05)
Replies: 27
Views: 10257

Re: Router OS versions (example x.5 & x.15 &x.05)

RouterOS always had two dots until a few of the last versions. v2.8.14, v2.9.25 etc. I did not know that. then maybe a better request would be continuing your old version numbering. the numbering you're using right now, is actually only confusing to new users. but when even that could be avoided, w...
by Devil
Tue May 08, 2012 6:42 pm
Forum: Beginner Basics
Topic: IPSec passthrough?
Replies: 3
Views: 2819

Re: IPSec passthrough?

you don't need to do anything. RouterOS NAT function, is perfectly capable of handling ipsec traffic. if the laptop could access the web, it should be able to also connect to that VPN. Simple as that

Edit: if it didn't work, enable NAT-T functionality in your VPN client and try again
by Devil
Tue May 08, 2012 6:02 pm
Forum: General
Topic: Router OS versions (example x.5 & x.15 &x.05)
Replies: 27
Views: 10257

Re: Router OS versions (example x.5 & x.15 &x.05)

It might be just me - but it makes sense to me that as a newer software/firmware comes out that the version numbers should be in order. I can confirm that its not just you. i also made the exact same mistake the first time i saw those version numbers. but as normis pointed out, it seems rather to b...
by Devil
Tue May 08, 2012 5:20 pm
Forum: General
Topic: RouterOS sends RST bit for no apparent reason
Replies: 5
Views: 2163

Re: RouterOS sends RST bit for no apparent reason

Hmm... this is an interesting issue. i would love to know the reason. are you using /ip proxy ? if yes, disable it and disable the associated dst-nat rule . see if it solves the problem. If its really the router that is generating those RST packets, i think you should be able to block them with some...
by Devil
Thu May 03, 2012 10:08 am
Forum: General
Topic: Feature request: Packet-Tracer (like in Cisco ASA)
Replies: 9
Views: 4014

Re: Feature request: Packet-Tracer (like in Cisco ASA)

+1 . i imagine its not easy implementing such a feature. but it would really save us a lot of troubleshooting time
by Devil
Wed May 02, 2012 4:49 pm
Forum: General
Topic: Disgruntled Employee
Replies: 2
Views: 635

Re: Disgruntled Employee

I would start by looking at the scripts and scheduler . make sure everything there makes sense, and all the scripts are things that you need. next step is checking the users section, change the passwords, remove ssh keys. then make sure there is no vpn connection has been made or could be made. chec...
by Devil
Wed May 02, 2012 3:31 pm
Forum: General
Topic: My set of Feature Requests
Replies: 14
Views: 2492

Re: My set of Feature Requests

The process which stores the rules to disk, runs periodically, independently from when you add the rules. So it can take anywhere from 0 seconds to 5 minutes. then how do you explain "sector writes since reboot" and "total sector writes" , going up right after you make a change (every time) ? sorry...
by Devil
Wed May 02, 2012 2:23 pm
Forum: General
Topic: My set of Feature Requests
Replies: 14
Views: 2492

Re: My set of Feature Requests

They are not rules but address list entries. i have a script that checks the users usage in hotspot and if its more than for example 100MB , it adds their ip address to the address list so their bandwidth could be shared and limited with pcq . the script will remove those entries at the end of each ...
by Devil
Wed May 02, 2012 2:15 pm
Forum: General
Topic: My set of Feature Requests
Replies: 14
Views: 2492

Re: My set of Feature Requests

that's not how it works, all RouterOS configuration is stored in memory, and is written to NAND after some 5 minutes. This is why you will lose config if you power cycle the device shorly after configuration. NAND writes are not a concern when talking about adding rules. The only NAND writes come f...
by Devil
Wed May 02, 2012 1:44 pm
Forum: General
Topic: My set of Feature Requests
Replies: 14
Views: 2492

Re: My set of Feature Requests

Alright, i believe some of those requests, need more explanation. i apologize for any confusions that it might have caused. ill try to explain more: Dynamic based on what??? Do you mean like a time-based rule or something? same as above. with scheduler,netwatch and other facilities, you can have thi...
by Devil
Tue May 01, 2012 5:50 pm
Forum: General
Topic: dynamic throtteling and qos
Replies: 1
Views: 509

Re: dynamic throtteling and qos

The whole idea of qos is dynamic throttling. what you want to accomplish is easily possible. i would go with queue tree with the combination of pcq . create a mangle rule to mark the packets going to those 2 users, create a pcq queue type without specifying a rate limit and set the classifier to 'ds...
by Devil
Tue May 01, 2012 1:09 pm
Forum: General
Topic: How to manually create dynamic rules/address list entries
Replies: 6
Views: 1490

Re: How to manually create dynamic rules/address list entrie

yes you could. and i will be probably using it a lot till Mikrotik implements that as a feature. however, it cant be used everywhere. for example, creating dynamic routes, doesn't seem to be possible with that approach. Edit: by changing ping parameters (ttl , dscp , size) , you are able to create d...
by Devil
Tue May 01, 2012 11:55 am
Forum: General
Topic: Priority in queue not working,using external proxy server
Replies: 7
Views: 1598

Re: Priority in queue not working,using external proxy serve

I honestly don't see why disabling that srcnat would interrupt http traffic. as they're being redirected to the router's webproxy, and the webproxy would handle the rest. and about that srcnat rule( as well as dstnat one), it's a bad practice to create such loose rules. you should specify incoming a...
by Devil
Tue May 01, 2012 11:23 am
Forum: General
Topic: How to manually create dynamic rules/address list entries
Replies: 6
Views: 1490

Re: How to manually create dynamic rules/address list entrie

well.. there is a way to do it.. create a script that will ping those addresses with ttl=1 and timeout=1 (they have not, to be really pinged) and then create a firewall rule at output chain for icmp protocol that will add the dst-address to the desired list That's a very nice workaround mojiro. i a...
by Devil
Mon Apr 30, 2012 1:30 pm
Forum: RouterBOARD hardware
Topic: hardware issues with rb4xx
Replies: 45
Views: 16337

Re: hardware issues with rb4xx

This DOES seem like a serious issue. and you've spent quite some time to track it down. please contact the support team with those information. this has to be fixed.
by Devil
Mon Apr 30, 2012 12:32 pm
Forum: General
Topic: My set of Feature Requests
Replies: 14
Views: 2492

My set of Feature Requests

Hey everyone Let me start by saying that I'm very happy with the MikroTik router. i believe they are doing a great job, providing us something stable and powerful with just the fraction of what the equivalent Cisco would cost. after working with it for quite a while, i came up with a list of things ...
by Devil
Sun Apr 29, 2012 4:19 pm
Forum: SwOS
Topic: Access RB250GS from another subnet?
Replies: 3
Views: 2491

Re: Access RB250GS from another subnet?

I have never worked with SwOS but what you're referring to, is a simple routing issue and id be surprised if it couldn't be done. but to further assist you, i need to know your network scheme. what do you mean "it doesn't have a gateway"? whats the ip of the router? how is it connected to these two ...
by Devil
Sun Apr 29, 2012 3:59 pm
Forum: General
Topic: Priority in queue not working,using external proxy server
Replies: 7
Views: 1598

Re: Priority in queue not working,using external proxy serve

I don't think the problem is proxy server here. cause its completely transparent to router 1. before we go further, that scr-nat rule in router 2, looks a bit weird. disable it first. by disabling it, all other traffics from pppoe clients except http would fail ofc. but see if it solves the problem...
by Devil
Sat Apr 28, 2012 2:20 pm
Forum: General
Topic: Best reliable link between 2 mikrotik ?
Replies: 19
Views: 3307

Re: Best reliable link between 2 mikrotik ?

PPTP is subjected to some security flaws. if i was going to use tcp tunneling, id go with SSTP. and probably your most advanced option is L2TP/IPSec
by Devil
Sat Apr 28, 2012 1:50 pm
Forum: General
Topic: Priority in queue not working,using external proxy server
Replies: 7
Views: 1598

Re: Priority in queue not working,using external proxy serve

please paste '/ip proxy print' and '/ip firewall nat print' of your first router
by Devil
Sat Apr 28, 2012 1:40 pm
Forum: General
Topic: Port forwarding through 2 routers -Mikrotik and non-mikrotik
Replies: 5
Views: 1694

Re: Port forwarding through 2 routers -Mikrotik and non-mikr

Your rules seems fine to me. as Sob said, you need to diagnose the problem
by Devil
Sat Apr 28, 2012 1:07 pm
Forum: General
Topic: Priority in queue not working,using external proxy server
Replies: 7
Views: 1598

Re: Priority in queue not working,using external proxy serve

When you enable webproxy on your Bnadwidth management/pppoe server, and add the dst-nat to redirect all requests to it, what happens is that the clients don't request the web pages directly anymore but rather they send it to the router and the router requests those for them instead. that's why your ...
by Devil
Sat Apr 28, 2012 10:45 am
Forum: Forwarding Protocols
Topic: Need help firewall filter??
Replies: 3
Views: 1047

Re: Need help firewall filter??

/ip firewall address-list add address=10.10.10.1 list=exceptions /ip firewall address-list add address=10.10.20.0/24 list=exceptions /ip firewall address-list add address=10.10.30.0/24 list=exceptions /ip firewall filter add chain=forward protocol=udp src-port=5060-5062 src-address-list=!exceptions...
by Devil
Fri Apr 27, 2012 3:47 pm
Forum: General
Topic: How can I move Mikrotik Router OS setting from one board to
Replies: 8
Views: 1188

Re: How can I move Mikrotik Router OS setting from one board

You can use Export command, make necessary changes and then Import it to the other one
by Devil
Fri Apr 27, 2012 12:27 pm
Forum: Wireless Networking
Topic: How to Bypass Hotspot Usage Counters for Specific Subnets
Replies: 17
Views: 11457

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

I believe fewi response is still valid. it rarely happens that there would be no workaround for a problem, but in this case, whatever you do, it happens after the packets already marked and counted by hotspot. look at the Packet Flow Diagram . it would be good to have such option however. and you co...
by Devil
Thu Apr 26, 2012 6:10 pm
Forum: General
Topic: Excessive RAM Usage
Replies: 8
Views: 6138

Re: Excessive RAM Usage

Routing cache has got nothing to do with the amount of routes you have or whether they are statics or not. its about how many different destination addresses is being requested by different source addresses. basically, the more users you serve, the faster routing cache will filled up. anyway, probab...
by Devil
Thu Apr 26, 2012 2:13 pm
Forum: General
Topic: Can't Route Between Networks
Replies: 1
Views: 364

Re: Can't Route Between Networks

The image you provided is a bit confusing. is 192.168.88.1 , the only IP of the router? then what are those gateway addresses you set on client A and client B? it appears that Client A and client B you're referring to, are not really clients but two different gateways that could be used to access th...
by Devil
Thu Apr 26, 2012 1:42 pm
Forum: General
Topic: Excessive RAM Usage
Replies: 8
Views: 6138

Re: Excessive RAM Usage

If i remember correctly, v5.12 had a problem with routing cache that it wouldn't free the old entries. try to monitor '/ip route cache print' for a while to confirm this.
either way, i suggest to update your routers from that version to a more stable one.
by Devil
Thu Apr 26, 2012 1:26 pm
Forum: The Dude
Topic: Bandwidth Monitor for Queue Tree
Replies: 1
Views: 1670

Re: Bandwidth Monitor for Queue Tree

Could it be that those values are in bits and by multiplying them by 8, you're just making them in bytes?
by Devil
Tue Apr 24, 2012 5:04 pm
Forum: General
Topic: For how long an entry in routing cache will be kept?
Replies: 4
Views: 1020

Re: For how long an entry in routing cache will be kept?

Hi Chris :) Yes, it does appear that they are different things. as it wouldn't probably make so much sense to have 2 caching system for routing. there's already routing cache, why would you want to introduce another one in connection-tracking ? From the manual: Results of routing decision are rememb...
by Devil
Tue Apr 24, 2012 1:46 pm
Forum: General
Topic: For how long an entry in routing cache will be kept?
Replies: 4
Views: 1020

Re: For how long an entry in routing cache will be kept?

Hey Feklar. thank you for your reply, i appreciate it :) connection-tracking was actually my first thought as well. since its clearly the case for nat and mangle rules, and its enabled in my router. and you are also right that if i close the connection, the new connection goes through the right rout...
by Devil
Mon Apr 23, 2012 8:39 pm
Forum: General
Topic: For how long an entry in routing cache will be kept?
Replies: 4
Views: 1020

For how long an entry in routing cache will be kept?

Hey guys So here's my question in a bit more detailed way: Lets say we have a routing table as follow: DST-ADDRESS PREF-SRC GATEWAY CHECK_GATEWAY Route A: 0.0.0.0/0 192.168.2.2 NO Route B: 192.168.3.1 192.168.1.2 YES Route C: 192.168.1.0/24 192.168.1.1 Route D: 192.168.2.0/24 192.168.2.1 Route C and...
by Devil
Wed Jan 25, 2012 3:33 pm
Forum: General
Topic: v5.12 released
Replies: 144
Views: 25199

Re: v5.12 released

*) hotspot - added login redirect through http status 302; Can we have more information on this? i imagine it means redirect.html and/or alogin.html, now redirect through http status 302 instead of using an html solution. can we get a confirmation on that? and how one can activate it? does that mea...
by Devil
Wed Sep 28, 2011 10:02 pm
Forum: General
Topic: Hotspot login problem
Replies: 2
Views: 586

Re: Hotspot login problem

are those users login/logout a lot? cause one time i saw such behavior when hotspot locked me out and i have to restart the router. happened only once tho. ironically, i was using win7. also its worthy to note that win7 kernel, handles network packets really weirdly. if it fails to reach a host, it ...
by Devil
Wed Sep 28, 2011 7:14 pm
Forum: General
Topic: Hotspot - user profile - idle-timeout not working
Replies: 2
Views: 1335

Re: Hotspot - user profile - idle-timeout not working

altho i knew the difference between idle-timeout and keepalive-timeout , it seems that i have no idea atm. try again with keepalive-timeout this time. its working for me and the client gets disconnected.
by Devil
Wed Sep 28, 2011 6:35 pm
Forum: General
Topic: How to manually create dynamic rules/address list entries
Replies: 6
Views: 1490

Re: How to manually create dynamic rules/address list entrie

Well thats a shame. i did search the forum but didnt find any related topic. nevertheless, im gonna send an email to support team and request it one more time. Thank you for your fast reply. i appreciate it :)
by Devil
Wed Sep 28, 2011 6:20 pm
Forum: General
Topic: How to manually create dynamic rules/address list entries
Replies: 6
Views: 1490

How to manually create dynamic rules/address list entries

Hey guys ok, so basically i wrote a script which adds some address list entries everyday and removes them at the end of that day(obviously, those entries could be different from one day to another). adding and deleting entries everyday, causes some extra sector writes that i imagine it could be avoi...
by Devil
Mon Aug 15, 2011 5:28 pm
Forum: General
Topic: Why Hotspot locked me out?
Replies: 3
Views: 451

Could it be because of too many winbox sessions?

Another thing that i can think of is that most of the time when i did logout, winbox was open causing terminating the session abnormally. could it be the cause of that? too many winbox sessions?
by Devil
Mon Aug 15, 2011 4:15 pm
Forum: General
Topic: Why Hotspot locked me out?
Replies: 3
Views: 451

Re: Why Hotspot locked me out?

Hey. thanks for your reply Yes. it is set to 1. but if even my logout procedure didn't work, i should have still had access to dns, login page. Nothing was working from my client, yet other clients did not affect by this. i even restarted my client to make sure its not client side, but only after re...
by Devil
Mon Aug 15, 2011 3:23 pm
Forum: General
Topic: Why Hotspot locked me out?
Replies: 3
Views: 451

Why Hotspot locked me out?

Hi guys. so i was testing hotspot with http-chap. changing some html files in that,... i logged out/logged in a lot of times for that matter. everything was working fine till i decided for the last time, i test login/logout page. i logged out, and that was it. hotspot basically denied all access, ev...
by Devil
Sat Aug 13, 2011 3:53 pm
Forum: General
Topic: What exactly are chap-id/chap-challenge?
Replies: 10
Views: 7070

Re: What exactly are chap-id/chap-challenge?

yes. I am checking/rewriting the whole thing. probably would take couple of more days to make this puppet work. but I'm close enough. thank you again for your help :)
by Devil
Sat Aug 13, 2011 3:43 pm
Forum: General
Topic: What exactly are chap-id/chap-challenge?
Replies: 10
Views: 7070

Re: What exactly are chap-id/chap-challenge?

yes. something like that would work. thank you :)
although technically, it shouldn't be named as $myChapPassword but rather $mymd5hash
by Devil
Sat Aug 13, 2011 3:24 pm
Forum: General
Topic: What exactly are chap-id/chap-challenge?
Replies: 10
Views: 7070

Re: What exactly are chap-id/chap-challenge?

Yes. something like that. Thank you for your offer. i appropriate it :) . but i already did the hardest part which was generating the correct md5 hash. was quite hard tbh. the rest is way easier. and quite done already. i might decide to create a wiki about it later on cause I'm pretty sure no one h...
by Devil
Sat Aug 13, 2011 3:11 pm
Forum: General
Topic: What exactly are chap-id/chap-challenge?
Replies: 10
Views: 7070

Re: What exactly are chap-id/chap-challenge?

I am not certain I understand. If the MD5 encryption is accomplished in the PHP code (server side), you have lost your security on the client side. Why would i lose security on the client side? the client doesn't even know the password. it only gets an one-time-use md5 hash. and the next time, chap...
by Devil
Sat Aug 13, 2011 2:26 pm
Forum: General
Topic: What exactly are chap-id/chap-challenge?
Replies: 10
Views: 7070

Re: What exactly are chap-id/chap-challenge?

Thank you for your reply. Why not use http-pap instead of http-chap for the login? That way no MD5 encryption at all. As i stated, i dont want the users to be able to login to the hotspot without the permission of the external server first. a non encrypted password would ruin everything as the clien...
by Devil
Fri Aug 12, 2011 7:53 pm
Forum: General
Topic: PHP md5() for login page
Replies: 10
Views: 4135

Re: PHP md5() for login page

For those who might be interested, i finally could make the md5 hash work through php. the thing to notice is that those \nnn are not normal characters. each of those represent an octal value. to make the correct md5 hash with php, you need to do it like this: $hash = md5("chap-id".password."chap-ch...
by Devil
Fri Aug 12, 2011 8:38 am
Forum: General
Topic: PHP md5() for login page
Replies: 10
Views: 4135

Re: PHP md5() for login page

Hi. for This reason, I'm also really interested in doing MD5 hashing, inside the php and not by a client-side script. this should be possible as otherwise, This method , wouldn't work either. Although i don't know anything about javascript at this point, but we have access to the source code (md5.js...
by Devil
Thu Aug 11, 2011 7:49 pm
Forum: General
Topic: What exactly are chap-id/chap-challenge?
Replies: 10
Views: 7070

What exactly are chap-id/chap-challenge?

Hi guys. i searched through the forum but couldn't quite find the answer. I have a php server with a login page that users log in to that to access our local resources. now what I want to do is to use the same server to redirect the users after they've logged in, to the Hotspot login page that will ...
by Devil
Wed Aug 03, 2011 11:02 am
Forum: Beginner Basics
Topic: Adding a filter bar in torch
Replies: 22
Views: 3879

Re: Adding a filter bar in torch

Hit F on the keyboard to show this
Doesn't work. at least in v5.5
by Devil
Wed Aug 03, 2011 7:41 am
Forum: Beginner Basics
Topic: Adding a filter bar in torch
Replies: 22
Views: 3879

Re: Adding a filter bar in torch

I have never seen that in v5. but could be awesome nevertheless. I think you get a better chance by contacting support directly and please do post the reply if you get any.
by Devil
Sat Jul 30, 2011 5:38 am
Forum: Beginner Basics
Topic: Which MRU in pppoe client config on ROS should I set?
Replies: 3
Views: 1010

Re: Which MRU in pppoe client config on ROS should I set?

Ok. thank you i will. But what about MSS? I'm tempted to also create a static rule above the dynamic ones and set also outgoing tcp syn packets MSS to 1440. it seems to me that i might run into problems with MRU set to 1480 and out packets MSS to 1452. what do you think? Edit: after playing a bit wi...
by Devil
Fri Jul 29, 2011 8:32 pm
Forum: Beginner Basics
Topic: Which MRU in pppoe client config on ROS should I set?
Replies: 3
Views: 1010

Which MRU in pppoe client config on ROS should I set?

Hey guys so I'm a bit confused about MRU. im quite familiar with MTU but MRU, not that much. the default value of MRU for pppoe client on ROSv5 is 1480 (just like MTU). but after connecting, i can see that in the status page, the link MRU seems to be 1492. so should i set it to 1492 or should i leav...
by Devil
Mon Jul 25, 2011 4:23 pm
Forum: Beginner Basics
Topic: How to change statistics views from kbps to KBps?
Replies: 1
Views: 794

How to change statistics views from kbps to KBps?

Hey guys So basically what I'm wondering is that how to see KBps instead of kbps in statistics pages in winbox. that includes: filter rules statistics, mangles, queues,... I don't mind if all inputs are kbps. you don't change them everyday. but for statistics... Is it possible? when you get used to ...
by Devil
Fri Jul 22, 2011 1:14 pm
Forum: Beginner Basics
Topic: ROS的配置有时候会消失是什么原因?
Replies: 2
Views: 1567

Re: ROS的配置有时候会消失是什么原因?

现象是这样的: 配置好一个ROS,然后用在作业环境, 过一段时间(若干小时) ,我使用新的用户名访问ROS会提示密码错误, 这时候用原始的admin用户能进入, 也就是用户权限这块的设置恢复到初始状态了,这让我纳闷,为什么会这样? "Phenomenon is this: configure a ROS, and then used in the operating environment, over a period of time (several hours), I use the new user name to access the ROS will prompt for pass...
by Devil
Thu Jul 21, 2011 9:17 am
Forum: Beginner Basics
Topic: /ip firewall connection - timeout counts *up*?
Replies: 1
Views: 651

Re: /ip firewall connection - timeout counts *up*?

There, I can see that a particular connection's timeout counted down past 0 and then started counting back *up* again.
I can also confirm this in latest routeros version (5.5). I'm fairly new to routeros but this doesn't seem normal. is there anything that we're missing?