Community discussions

Search found 1100 matches

by tomaskir
Thu Mar 28, 2019 4:08 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15457

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Let's hope MikroTik can have a build ready with a fix before the full details of this go public...
by tomaskir
Thu Mar 28, 2019 12:19 pm
Forum: Beginner Basics
Topic: Solution for VPN into company network
Replies: 3
Views: 378

Re: Solution for VPN into company network

I recommend doing IPSec XAuth mode-config instead of L2TP/IPSec. It solves multiple issues that L2TP/IPSec has. Here is a presentation that you teach you how to properly set it up: https://youtu.be/QlkIbx0Jpoo (IPsec XAuth mode-config deep-dive) Getting a router with IPSec acceleration is also highl...
by tomaskir
Mon Mar 25, 2019 12:44 pm
Forum: Forwarding Protocols
Topic: MPLS MTU questions
Replies: 1
Views: 492

Re: MPLS MTU questions

MTU on each layer is separate, and each layer needs CORRECT MTU configured, not just as large as the next layer.

I highly recommend checking this presentation from 10:05 onwards.
It discusses MTU in depth:
https://youtu.be/Q8AF-Srulmk?t=606
by tomaskir
Sun Mar 24, 2019 1:05 pm
Forum: General
Topic: Bug in export?
Replies: 3
Views: 337

Re: Bug in export?

Did you create a ticket about this?
(email support@mikrotik.com)
by tomaskir
Fri Mar 22, 2019 1:57 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45663

Re: Statement on Vault 7 document release

How is that different from /exporting the configuration and git it ? Then compare different commits? Cause the video on their homepage just looks like it. The difference is you don't have to do it all by yourself. You would have to script config retrieval, handle all the edgecases and have proper e...
by tomaskir
Thu Mar 21, 2019 5:23 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45663

Re: Statement on Vault 7 document release

Usually a configuration management system does this for you. Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes. (this is what I recommended in my talk) You can't really do this in any good way natively in RouterOS or The Dude. And while you could do this using Sys...
by tomaskir
Thu Mar 21, 2019 3:18 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 45663

Re: Statement on Vault 7 document release

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk? Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc? Usually a configuration management system does this for you. Unimus does this out-of-the box and you c...
by tomaskir
Mon Mar 18, 2019 5:37 pm
Forum: General
Topic: Please add the ability to choose Proposal
Replies: 11
Views: 1371

Re: Please add the ability to choose Proposal

What was suggested was to move all explicit IPSec config to a new proposal called "newproposal". You can then adjust the default one, and your dynamic IPSec things (tunnels with "use-ipsec=yes") will use the default. Anyway, if you are doing any in-depth IPSec config, you should NOT use the automagi...
by tomaskir
Fri Oct 26, 2018 3:01 pm
Forum: General
Topic: Any Chance of a test mode before applying the configuration
Replies: 7
Views: 738

Re: Any Chance of a test mode before applying the configuration

Safe-mode will do the same.

As soon as you lose management connection, it will revert the configuration to the point before safe-mode was engaged.
by tomaskir
Thu Oct 25, 2018 2:01 pm
Forum: General
Topic: Mass Managing Mikrotik
Replies: 11
Views: 2053

Re: Mass Managing Mikrotik

The Dude is a monitoring solution (NMS) - not configuration management. Let's say you want to change a password on 100 'Tiks, or find all 'Tiks running with wireless at freq. 5800 across the network. The Dude will not do that for you - that is the job of a Configuration Management (NCM) solution. Id...
by tomaskir
Wed Oct 24, 2018 4:51 pm
Forum: General
Topic: Mass Managing Mikrotik
Replies: 11
Views: 2053

Re: Mass Managing Mikrotik

Indeed, take a look at Unimus . We do Mass Config Push, upgrades across the network, etc. You can use this to push changes to firewalls across many routers, upgrade RouterOS or RouterBOOT, etc. You will also get configuration change notifications (so anytime a config of any device changes, you get a...
by tomaskir
Thu Aug 30, 2018 7:40 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 3597

Re: New wave of Winbox vuln. attacks

@sajibnandi: It seems you have logging enabled for some rule in the firewall input chain. Depending how input chain is configured, this might be just logging you can disable. Best would be to paste the output of /ip firewall filter print where chain=input Looking at the structure of the firewall, we...
by tomaskir
Thu Aug 30, 2018 4:24 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 3597

Re: New wave of Winbox vuln. attacks

I seem to recall there is a way to view the default configuration, but have failed to locate how to do it.
Could you point me in the right direction?

You can print out the default configuration using:
/system default-configuration print
by tomaskir
Thu Aug 30, 2018 12:51 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 3597

Re: New wave of Winbox vuln. attacks

Indeed, the issue will be in accepting "new" state connections in rule no.3. As pointed out by sid5632, this is something that was modified from the default configuration, and that is why you are seeing Winbox login attempts from the internet. Fixing that rule (remove the "new" connection state) is ...
by tomaskir
Tue Aug 28, 2018 1:56 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 3597

Re: New wave of Winbox vuln. attacks

As an update to this, it seems there are currently 2 active variants of attacks: Version 1: Very similar to the attacks on Latin America earlier this month, but executed across the US/EU. This variant modifies SOCKS, and pulls updates using a 'mikrotik.php' file that is downloaded using scripts and ...
by tomaskir
Mon Aug 27, 2018 7:19 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 3597

New wave of Winbox vuln. attacks

There is currently another wave of attacks on RouterOS under way across US/EU address space. This attack utilizes the Winbox vuln. that has been patched in April this year. The current wave of attacks is very similar to the mass-exploitation of routers across Brazil earlier this month. This time tho...
by tomaskir
Tue Aug 21, 2018 5:01 pm
Forum: Beginner Basics
Topic: IPsec-SA expired before finishing rekey [SOLVED]
Replies: 4
Views: 2045

Re: IPsec-SA expired before finishing rekey [SOLVED]

I would suggest creating a ticket with support as well so MKT can check if this is something they can fix.
Simply using PFS for P2 should not break re-keying.
by tomaskir
Thu Aug 16, 2018 12:23 pm
Forum: The Dude
Topic: Mass Password Change [SOLVED]
Replies: 2
Views: 990

Re: Mass Password Change [SOLVED]

With The Dude, there is no way to mass push config.

I recommend checking out Unimus - it will do this with a few clicks.
(create a Mass Config Push preset, select devices, push)

Otherwise, you can always script this yourself using TCL/Expect, or Python.
by tomaskir
Mon Aug 13, 2018 3:45 pm
Forum: General
Topic: Centralized Management
Replies: 4
Views: 2917

Re: Centralized Management

Thanks for the feedback, we are always happy to hear what we can do better :) - Centralized Upgrade: Great, but it would be very helpful to see the current ROS-version of every device in the device-list We want to add this, but since we support 110+ vendors we need to properly implement this for all...
by tomaskir
Mon Aug 13, 2018 1:34 pm
Forum: General
Topic: Monitor wireless values
Replies: 3
Views: 636

Re: Monitor wireless values

Everything you want is in RouterOS wireless MIBs.
/interface wireless
print oid

Use SNMP to retrieve the data, and choose any of the available monitoring platforms to graph it :)
by tomaskir
Mon Aug 13, 2018 1:27 pm
Forum: General
Topic: Centralized Management
Replies: 4
Views: 2917

Re: Centralized Management

Check out Unimus , it was built for exactly this. Here is a manual how to mass-upgrade RouterOS across the network: https://unimus.net/blog/network-wide-mikrotik-routeros-upgrade.html Here is an example of how to validate security (and if the network was hit be recent RouterOS exploits): https://uni...
by tomaskir
Tue Jul 24, 2018 6:28 pm
Forum: Virtualization
Topic: CHR 6.42.6+GNS3 = No RoMON
Replies: 5
Views: 2105

Re: CHR 6.42.6+GNS3 = No RoMON

RoMON uses a MKT proprietary L2 protocol. The default simulated switches in GNS3 only forward Ethernet frames. This is why you are not able to use RoMON, or other non-standard L2 protocol in GNS. Work-around is not to use the GNS3 "switch" object to connect your simulated MKTs, but use something els...
by tomaskir
Sun Jul 22, 2018 2:30 pm
Forum: Wireless Networking
Topic: Wireless Wire MTU, stability
Replies: 5
Views: 1243

Re: Wireless Wire MTU, stability

Sounds like a bug.
Definitely something MKT support should look at.

Did you send a ticket to support with a supout.rif yet?
by tomaskir
Sun Jul 22, 2018 12:47 pm
Forum: General
Topic: Intrusion shortly after sending support file
Replies: 8
Views: 1648

Re: Intrusion shortly after sending support file

1) What version of RouterOS was that router on?
2) Did you have Winbox open publicly on the default port?
by tomaskir
Wed Jul 11, 2018 2:55 pm
Forum: General
Topic: LLDP
Replies: 126
Views: 42959

Re: LLDP

I think everyone in this thread appreciates VERY MUCH that LLDP is implemented at all. And I personally thank the MKT team a lot for this. But I think all of us here wish the work on LLDP would continue, since there is still a lot that can be improved. Also separation of LLDP from MNDP would probabl...
by tomaskir
Wed Jul 11, 2018 1:44 am
Forum: General
Topic: LLDP
Replies: 126
Views: 42959

Re: LLDP

Also no LLDP data is present in SNMP.

Another main use-case for LLDP is to have topology data available over SNMP, so monitoring and mapping software can use it to map the network.
by tomaskir
Sun Jul 08, 2018 5:35 pm
Forum: General
Topic: feature request, auto firewall nat rules [SOLVED]
Replies: 4
Views: 721

Re: feature request, auto firewall nat rules [SOLVED]

You can use this FW rule to accept all NATed connections:

Code: Select all

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
EDIT: damn, Sob beat me to it :(
by tomaskir
Mon Jul 02, 2018 4:58 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 27708

Re: Winbox v3.16 released!

*) added back support for connecting to older RouterOS v6 versions;
Does this mean that Winbox is again able to download and execute DLLs received from external sources?
by tomaskir
Tue Jun 19, 2018 3:42 pm
Forum: General
Topic: Load custom default config when reset button pressed [SOLVED]
Replies: 1
Views: 377

Re: Load custom default config when reset button pressed [SOLVED]

You will have to use NetInstall to do this.
NetInstall has an option to apply a configuration.

That configuration will be applied as the default config.
(including if the board is reset through the reset button)
by tomaskir
Tue Jun 12, 2018 6:50 pm
Forum: General
Topic: New IP cloud is coming.
Replies: 84
Views: 27052

Re: New IP cloud is coming.

Multi-WAN support for DDNS pretty please?
by tomaskir
Wed Jun 06, 2018 11:06 am
Forum: General
Topic: configuration for multiple routers
Replies: 3
Views: 590

Re: configuration for multiple routers

If you want an easier solution - try Unimus. It will do Mass Config Push for you, and you can have it setup in under 30 minutes. Changing NTP, or creating / modifying users on all MKTs in the network is a few clicks. Here is an example of how to do RouterOS upgrades: https://unimus.net/blog/network-...
by tomaskir
Mon May 21, 2018 8:24 pm
Forum: General
Topic: multi microtik management tool
Replies: 13
Views: 6207

Re: multi microtik management tool

Check out Unimus:
https://unimus.net/

It will do Mass Config Push, change detection, diffs, network-wide config search, etc.
You can easily upgrade RouterOS across the network.

Here is an article on network-wide RouterOS update:
https://unimus.net/blog/network-wide-mi ... grade.html
by tomaskir
Wed May 02, 2018 4:24 pm
Forum: The Dude
Topic: New Dude to Backup Routers
Replies: 23
Views: 4268

Re: New Dude to Backup Routers

Unimus is interesting, even though it IS paid (thanks Hammy). The dev is pretty responsive and he's including [starting to anyway] mechanisms for pushing commands/scripts to devices which is making it somewhat of a change-mgmt platform with some interesting possibilities. This would have been helpf...
by tomaskir
Mon Apr 30, 2018 4:00 pm
Forum: General
Topic: [Guide] Easy network-wide RouterOS upgrades
Replies: 1
Views: 481

[Guide] Easy network-wide RouterOS upgrades

Hi everyone, So with the latest RouterOS exploits, upgrading to a up-to-date RouterOS version is more important than ever. I wrote an article/how-to on an easy way to update RouterOS across your entire network. This article uses RouterOS Package Source feature to act as a local upgrade server. Unimu...
by tomaskir
Mon Apr 23, 2018 3:20 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 113563

Re: v6.43rc [release candidate] is released!

@strods
*) ipsec - added "responder" parameter for "mode-config" to allow multiple initiator configurations (CLI only);

Can you please elaborate on what this does?
by tomaskir
Fri Apr 20, 2018 2:36 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 113563

Re: v6.43rc [release candidate] is released!

Can the phy-rate and RSSI for 60G interfaces also be exposed over SNMP please?

Thanks!
by tomaskir
Mon Mar 19, 2018 1:38 pm
Forum: General
Topic: L2 MTU sizes - STILL confused
Replies: 11
Views: 5605

Re: L2 MTU sizes - STILL confused

Slide 18 and 19 from my presentation on MPLS/VPLS/MTU covers this pretty well:
https://mum.mikrotik.com/presentations/US13/kirnak.pdf

I would also recommend actually watching / listening to the presentation, it covers it much more in depth:
https://youtu.be/Q8AF-Srulmk
by tomaskir
Fri Mar 16, 2018 11:46 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 97396

Re: v6.42rc [release candidate] is released!

Waiting time is not too long. This kind of implementation will satisfy the biggest part of the users so we decided to re-make this generate process. But what is the benefit - what was the original need to change this? Because from what I can see, this has only disadvantages. Making users wait when ...
by tomaskir
Thu Mar 15, 2018 8:20 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 97396

Re: v6.42rc [release candidate] is released!

*) ssh - generate SSH keys only on the first connect attempt instead of the first boot; Could you please comment on why this change was made? Is it not better to generate these at startup than to make an user wait the first time he connects? Specifically on older boards (with single-core 400MHz CPU...
by tomaskir
Tue Mar 13, 2018 12:36 pm
Forum: General
Topic: Feature request: "Service Group"
Replies: 12
Views: 4512

Re: Feature request: "Service Group"

As you can see, this post is all the way back from 2012.

There has been no change on this, which is sad.
There still is no way to define any groupings for protocols/ports/services in RouterOS.
by tomaskir
Tue Mar 06, 2018 1:10 pm
Forum: The Dude
Topic: Configuration Backup
Replies: 1
Views: 837

Re: Configuration Backup

You can't really have The Dude do any kind of backups / configuration management. If you want a solution that just works, check out Unimus . No need to configure anything on the routers. Takes about 15 minutes to deploy to manage a network of 1000 devices. (assuming you can mass-import devices) You ...
by tomaskir
Wed Feb 28, 2018 3:19 pm
Forum: Scripting
Topic: Mikrotik backup + upload to FTP /problem/
Replies: 8
Views: 1444

Re: Mikrotik backup + upload to FTP /problem/

maybe someday .. mikrotik make some app for all that Great hardware offer, but poor support around maintenance Its easy when you have 1-10 mikrotik routers .. but 100+? As I mentioned in my previous post, you already have multiple solutions that exist that do this. Why should MikroTik write an appl...
by tomaskir
Tue Feb 27, 2018 5:55 pm
Forum: Scripting
Topic: Mikrotik backup + upload to FTP /problem/
Replies: 8
Views: 1444

Re: Mikrotik backup + upload to FTP /problem/

I would suggest getting a proper config management solution. (that will do config backup, show changes in config ,etc.) You have multiple choices: Unimus - https://unimus.net/ Oxidized - https://github.com/ytti/oxidized Rancid - http://www.shrubbery.net/rancid/ etc. It will be easier to use, much mo...
by tomaskir
Mon Feb 19, 2018 12:10 am
Forum: Scripting
Topic: changing /system default-configuration script
Replies: 5
Views: 2571

Re: changing /system default-configuration script

What is strange is that it is still the original script which is displayed in /system default-configuration. This is a well known "bug" that has been in ROS for many years. Is there a way to view this script inside routerOS ? (could be a good or bad thing since it may embed cleartext passwords) No ...
by tomaskir
Tue Jan 09, 2018 10:20 pm
Forum: General
Topic: Hiring a consultant for configuration support
Replies: 3
Views: 478

Re: Hiring a consultant for configuration support

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants

I think that might be a better source for knowledgeable MikroTik people than freelance websites.
by tomaskir
Mon Jan 08, 2018 2:26 pm
Forum: General
Topic: Mikrotik developer - Paid Config
Replies: 1
Views: 392

Re: Mikrotik developer - Paid Config

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants
by tomaskir
Sat Jan 06, 2018 3:38 am
Forum: Beginner Basics
Topic: NAT Loopback for beginner
Replies: 7
Views: 8514

Re: NAT Loopback for beginner

There is a very good article on the wiki that describes all you need to know:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
by tomaskir
Sun Dec 31, 2017 12:12 am
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 52
Views: 9081

Re: High CPU load when PPPoE sessions disconnects

Any interface connecting/disconnecting - does not matter if dynamic or static.
by tomaskir
Sat Dec 30, 2017 6:46 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 52
Views: 9081

Re: High CPU load when PPPoE sessions disconnects

It doesn't matter if the user has public or private IP, it's about interfaces. When interfaces connect/disconnect, with combination with NAT, it gives you high CPU usage. So simply eliminate NAT from that router. Have a separate router "in front" of the PPPoE concentrator, that NATs the traffic from...
by tomaskir
Sat Dec 30, 2017 4:01 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 52
Views: 9081

Re: High CPU load when PPPoE sessions disconnects

Just DO NOT use NAT on any routers that have high number of connecting/disconnecting interfaces. Use basic networking principle of 'separation of concerns'. Each device in your network should be responsible for one function - don't mix too many things into one device. Place an additional router "in ...
by tomaskir
Fri Dec 29, 2017 4:17 pm
Forum: Beginner Basics
Topic: accept vs return in mangle
Replies: 2
Views: 554

Re: accept vs return in mangle

action=return is supposed to be used with custom chains - to return the packet to the original chain it came from (using the jump action). I am actually not sure what action=return does in one of the built-in chains. Documentation doesn't specify it either. If you want it to be not processed anymore...
by tomaskir
Wed Dec 27, 2017 4:18 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 3275

Re: MPLS MTU Calculations

Yes, but do not forget to properly calculate all other MTUs so MTU is sufficient on every layer.
by tomaskir
Wed Dec 27, 2017 1:54 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 3275

Re: MPLS MTU Calculations

It will work if MTU is sufficient, or higher.
I can be higher, that will not hurt.

But it MUST NOT be lower than required.
by tomaskir
Wed Dec 27, 2017 1:07 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 3275

Re: MPLS MTU Calculations

You need to calculate how much you need at every layer.
(like on slide 19 of the presentation)

If you have 4 tags, then you need to calculate that into the MPLS layer MTU, and MTUs on all underlying layers.
by tomaskir
Wed Dec 27, 2017 12:34 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 3275

Re: MPLS MTU Calculations

VPLS ID is the VPLS tag (it contains the tunnel ID).

A VPLS tag is just another type of MPLS tags - so also just 4 per VPLS tag.
by tomaskir
Tue Dec 26, 2017 11:10 pm
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 3275

Re: MPLS MTU Calculations

Check out this presentation for an in-depth discussion of MTU (and in particular in regards to MPLS/VPLS).

https://youtu.be/Q8AF-Srulmk
by tomaskir
Tue Dec 26, 2017 11:08 pm
Forum: Beginner Basics
Topic: Soft for autobackup many device
Replies: 3
Views: 536

Re: Soft for autobackup many device

Check out Unimus.
https://unimus.net/

It will do exactly what you want :)
by tomaskir
Mon Nov 27, 2017 2:26 pm
Forum: Beginner Basics
Topic: How to configure two Mikrotiks as a failover/backup [SOLVED]
Replies: 4
Views: 586

Re: How to configure two Mikrotiks as a failover/backup [SOLVED]

There is multiple ways to do this, depending on your network layout, and how other things connect to the 1100s.

You will most probably want to go with VRRP tho, judging by your post:
https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP
by tomaskir
Sun Oct 22, 2017 1:45 am
Forum: Beginner Basics
Topic: New advice on Manual Firmware update - Wiki page outdated?
Replies: 1
Views: 881

Re: New advice on Manual Firmware update - Wiki page outdated?

Just download 'Main package', transfer to device, reboot device.

Make sure to download proper architecture, the 'System > Packages' table will tell you yours.
(for SXT, it's mipsbe)
by tomaskir
Thu Oct 19, 2017 12:56 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 1853

Re: Dual WLAN + load balancing + redundancy?

All the things highlighted in your screenshot have different meanings, the 0 are fine. Highlighted rule 1 simply says there is no WAN->LAN traffic through wlan1. Highlighted rules 2 and 3 are 0 because the main load-balancing rule isn't routing any traffic through wlan2. You can see that in the conf...
by tomaskir
Wed Oct 18, 2017 4:29 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 1853

Re: Dual WLAN + load balancing + redundancy?

As I mentioned previously, you will need to have the Traffic Monitor scripts in place to load balancing using bandwidth-based load-balancing. Refer to the presentation. Another note - do not use FastTrack with this. FastTrack on purpose doesn't let packets into Mangle (and multiple other RouterOS fa...
by tomaskir
Wed Oct 18, 2017 6:18 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 1853

Re: Dual WLAN + load balancing + redundancy?

1) Mangle miss-configuration Rule 10 - you are missing negation signs. "dst-address-type=!local" and "dst-address-list=!Connected" If you are doing bandwidth-based load-balancing, you will also need the Traffic Monitors which switch the routing mark on the main load-balancing Mangle rule. 2) Pings Y...
by tomaskir
Wed Oct 18, 2017 3:13 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 1853

Re: Dual WLAN + load balancing + redundancy?

That config is completely wrong, so no wonder it doesn't work :)

Implement proper Mangle as in either of the presentations, then test.
If it still doesn't work after, please post the Mangle export and what doesn't work.
by tomaskir
Wed Oct 18, 2017 12:06 am
Forum: Beginner Basics
Topic: Add firewall filter in top position
Replies: 3
Views: 595

Re: Add firewall filter in top position

Is this what you are looking for?
/ip firewall filter
add src-address-list=device.admins action=accept place-before=3
by tomaskir
Tue Oct 17, 2017 7:52 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 1853

Re: Dual WLAN + load balancing + redundancy?

Most probably it's an issue in your Mangle config.

Please post your Mangle export.
by tomaskir
Tue Oct 17, 2017 9:56 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 1853

Re: Dual WLAN + load balancing + redundancy?

You will need to properly setup load balancing using Mangle.
Check out this presentation, it should cover what you need to know:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Mon Oct 16, 2017 10:02 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 105599

Re: RouterOS NOT affected by WPA2 vulnerabilities

Good job on the fast announcement and staying on top of the vulnerabilities. Specially thanks for the additional per-protocol information and the clarification that was added after the initial post! (for people coming in later - the bottom half of MikroTiks post was added after official information ...
by tomaskir
Sat Oct 14, 2017 6:10 pm
Forum: Beginner Basics
Topic: How to send a backup to email [SOLVED]
Replies: 13
Views: 3624

Re: How to send a backup to email [SOLVED]

You can configure any of them to take a backup every 12h or 24h. Unimus is the simplest to setup, fastest to use, and has nice things like graphical diff (see changes between backups, or between devices), and a network-wide config search. (type in "vlan 1002" and see everywhere in your network that ...
by tomaskir
Sat Oct 14, 2017 5:00 pm
Forum: Beginner Basics
Topic: How to send a backup to email [SOLVED]
Replies: 13
Views: 3624

Re: How to send a backup to email [SOLVED]

Sending backups to email is bad for multiple reasons.
Security, scalability, management (imagine you need to change the email address, or email credentials on 100 devices), etc.

You should look at a proper backup solution, such as Unimus, Rancid or Oxidized.
by tomaskir
Thu Oct 05, 2017 6:03 pm
Forum: General
Topic: snmp security... private or authorized?
Replies: 6
Views: 2425

Re: snmp security... private or authorized?

For SNMPv3: none - no hashing nor encryption authorized - hashing private - hashing and encryption So for none, you dont need hash or encryption password, just username. SNMPv3 with "none" security behaves much like SNMPv2c. Authorized will use SHA1 or MD5 (depending on your configuration) hash as t...
by tomaskir
Thu Oct 05, 2017 2:29 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 545

Re: 2 Internet Connections, one for Inbound and one for Outbound

You can have only one default route.
It can go either through WAN1, or WAN2.

As soon as you need some things to go through WAN1, and other things to go through WAN2, you need Mangle.
by tomaskir
Thu Oct 05, 2017 12:49 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 545

Re: 2 Internet Connections, one for Inbound and one for Outbound

You will need to configure Mangle properly, and handle WAN->Router marking.

Check out this presentation:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Wed Oct 04, 2017 11:38 pm
Forum: General
Topic: First 100Mbps WAN1, next 100Mbps WAN2
Replies: 4
Views: 568

Re: First 100Mbps WAN1, next 100Mbps WAN2

Great presentation, this is exactly what I needed. Thank you.

Is it possible for me to see the slides in this presentation? It would be a great help.
There is a link in the video description :)
by tomaskir
Wed Oct 04, 2017 3:04 pm
Forum: Beginner Basics
Topic: Rename interfaces [SOLVED]
Replies: 2
Views: 458

Re: Rename interfaces [SOLVED]

I personally consider leaving interface names as default as best practice.

Use comments to store descriptive information about an interface.
by tomaskir
Wed Oct 04, 2017 10:34 am
Forum: General
Topic: First 100Mbps WAN1, next 100Mbps WAN2
Replies: 4
Views: 568

Re: First 100Mbps WAN1, next 100Mbps WAN2

If you are looking for bandwidth-based load balancing, check out this presentation:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Tue Oct 03, 2017 6:10 pm
Forum: General
Topic: [hEX] 80 PPPoE session on RB750Gr3
Replies: 4
Views: 669

Re: [hEX] 80 PPPoE session on RB750Gr3

Then the hEX should be fine :)
by tomaskir
Tue Oct 03, 2017 5:22 pm
Forum: General
Topic: [hEX] 80 PPPoE session on RB750Gr3
Replies: 4
Views: 669

Re: [hEX] 80 PPPoE session on RB750Gr3

It depends.

How much traffic will it there be?

What other things will the box do?
(firewall, QoS, NAT, etc.)
by tomaskir
Mon Oct 02, 2017 7:29 pm
Forum: General
Topic: Wirless Signal Dissaper when iphone is locked
Replies: 3
Views: 499

Re: Wirless Signal Dissaper when iphone is locked

1) This is unrelated to MikroTik, or RouterOS. 2) It's common for smartphones to go into power saving when you lock them / put them into standby mode with the power button. Same for Galaxy S8, use power button to put it into standby, WiFi gets turned off. These are normal power-savings features. On ...
by tomaskir
Mon Oct 02, 2017 7:27 pm
Forum: General
Topic: more that 200 L2TP sessions for HEX (L4 license upgrade for routerbord) [SOLVED]
Replies: 1
Views: 404

Re: more that 200 L2TP sessions for HEX (L4 license upgrade for routerbord) [SOLVED]

Yes, the license limit is applicable to RouterBOARDs. So you will not be able to do more than 200 tunnels on a RouterBOARD with an L4 license. You can buy an L5 license, and apply it to the RB. There is no upgrade (you can't just pay the difference) in RouterOS licensing, so you need a new L5 licens...
by tomaskir
Mon Oct 02, 2017 7:24 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 1098

Re: Dual WAN not responding to external telnet/WinBox requests

Sorry for the late reply, I finally had some time to look at your Mangle export today. 1) move the rules which handle WAN->ROS connections to the top. Before those prerouting rules. 2) do the input/output chain Mangle rules capture any traffic? That is, is the packet counter on all of them increasin...
by tomaskir
Thu Sep 28, 2017 4:49 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 52
Views: 9081

Re: High CPU load when PPPoE sessions disconnects

If you are using Masquarade on the router, that is the problem. When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect. So if you have lots of PPPoE session connecting/disconnecting, connection tracking will constantly be recalculated wh...
by tomaskir
Thu Sep 21, 2017 3:32 pm
Forum: General
Topic: List of IPSEC Speed, Encrypt Algo, Hash Algo, DH Group
Replies: 1
Views: 3459

Re: List of IPSEC Speed, Encrypt Algo, Hash Algo, DH Group

We use this with our IPSec everywhere:
Phase 1: AES256, SHA512, MODP2048
Phase 2: AES128, SHA1, MODP2048

For us, this is a good balance of security/performance.

SHA1 in P2 could be improved on, but for our requirements, it's enough.
(since SHA1 collisions have been now peformed)
by tomaskir
Thu Sep 21, 2017 2:57 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 1098

Re: Dual WAN not responding to external telnet/WinBox requests

tomaskir is not quite right because it's better to mark connections in prerouting rather then in input. Look at pcc example: https://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing May be you forgot to add respective routes for that routing marks (like in pcc example). And yo...
by tomaskir
Wed Sep 20, 2017 11:03 pm
Forum: Scripting
Topic: creating users with cmd without telnet
Replies: 9
Views: 927

Re: creating users with cmd without telnet

Any script named whatever.auto.rsc will be automatically executed when it is transfered to RouterOS.

So you can create for example users.auto.rsc, with this:

Code: Select all

/user
add name=user password=password group=read
And upon being transfered to the router, it will create that user.
by tomaskir
Wed Sep 20, 2017 7:17 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 1098

Re: Dual WAN not responding to external telnet/WinBox requests

Post your entire '/ip firewall mangle export' please.
by tomaskir
Mon Sep 18, 2017 6:27 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 2381

Re: Help with Ipsec and iOS

Ahh in my configuration the two are the same, can that be the problem?
EDIT:
Try to configure the L2TP secret in "/ppp l2tp-secret".
Make sure it's the same as the IPSec PSK in "/ip ipsec peer".

Then make sure it's the same in your client.
by tomaskir
Mon Sep 18, 2017 6:13 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 2381

Re: Help with Ipsec and iOS

The L2TP secret is required. If i remove it, and try to connect i get the message "The IPsec shared secret is missing." There is a difference between IPSec PSK (pre-shared key), and the L2TP secret. You need to use the IPSec PSK (the one configured in "/ip ipsec peer"), but you must not use the L2T...
by tomaskir
Mon Sep 18, 2017 5:53 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 2381

Re: Help with Ipsec and iOS

This would be the issue:
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping

Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.
by tomaskir
Mon Sep 18, 2017 5:25 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 2381

Re: Help with Ipsec and iOS

You can turn off logging for IPSec, we see that works.

Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.
by tomaskir
Mon Sep 18, 2017 4:36 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 2381

Re: Help with Ipsec and iOS

My PPP configuration is: ... Your PPP profile is wrong. Use it like this: /ppp profile add change-tcp-mss=no dns-server=x.x.x.x local-address=x.x.x.x name=VPN remote-address=VPN_Users use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-upnp=no Change neccessary things (such as DNS serv...
by tomaskir
Mon Sep 18, 2017 3:20 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 2381

Re: Help with Ipsec and iOS

It seems IPSec works, and clients can't connect L2TP. We see in the log: 14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886 14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4 14:12:51 l2tp,info first ...
by tomaskir
Mon Sep 18, 2017 3:04 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 2381

Re: Help with Ipsec and iOS

1) Make sure you are running latest RouterOS
There has been many IPSec fixes recently.

2) Enable IPSec logging:

Code: Select all

/system logging
add topics=ipsec,!debug
3) Post your "/ip ipsec export" here
Maybe it's something simple we can spot just from the export.
by tomaskir
Sat Sep 16, 2017 2:38 pm
Forum: Beginner Basics
Topic: Small firewall question
Replies: 2
Views: 506

Re: Small firewall question

You will have to use the bridge.
Then either use bridge filters, or enable "Use IP firewall" for bridge, and use firewalling to block it.

In firewall, simply drop everything other than what you want to allow.
by tomaskir
Sat Sep 16, 2017 1:17 pm
Forum: Beginner Basics
Topic: port targeting with two WAN
Replies: 3
Views: 460

Re: port targeting with two WAN

You need to do Mangle like this: /ip firewall mangle add chain=prerouting src-address=192.168.0.0/24 connection-mark=no-mark action=mark-connection new-connection-mark=ThroughOnly_WAN2 add chain=prerouting src-address=192.168.0.0/24 connection-mark=ThroughOnly_WAN2 action=mark-routing new-routing-ma...
by tomaskir
Sat Sep 16, 2017 2:33 am
Forum: Beginner Basics
Topic: port targeting with two WAN
Replies: 3
Views: 460

Re: port targeting with two WAN

You will need to configure policy based routing (PBR) in Mangle.

I suggest looking through the wiki and the forums, there are plenty of Mangle examples for PBR.
by tomaskir
Fri Sep 15, 2017 7:11 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 1098

Re: Dual WAN not responding to external telnet/WinBox requests

You Mangle is wrong. You need to handle incoming conections in the input change, and set the routing mark in output. Do it like in the presentation, and it will work: /ip firewall mangle add chain=input connection-mark=no-mark in-interface=ISP_1 action=mark-connection new-connection-mark=WAN1->ROS a...
by tomaskir
Fri Sep 15, 2017 6:00 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 1098

Re: Dual WAN not responding to external telnet/WinBox requests

You need to properly handle WAN->Router connections in Mangle. Meaning, if a connection from a certain WAN is iniciated, it needs to be replied to over the same WAN. Look at this presentation, it should explain everything: https://youtu.be/67Dna_ffCvc Feel free to skip to around 6:30 - that's when t...
by tomaskir
Fri Sep 15, 2017 5:59 pm
Forum: General
Topic: how to setup fallover and port forwarding correctly
Replies: 1
Views: 380

Re: how to setup fallover and port forwarding correctly

You need to properly handle WAN->LAN connections in Mangle. Meaning, if a connection from a certain WAN is iniciated, it needs to be replied to over the same WAN. Look at this presentation, it should explain everything: https://youtu.be/67Dna_ffCvc Feel free to skip to around 6:30 - that's when the ...
by tomaskir
Fri Sep 15, 2017 1:21 am
Forum: General
Topic: Doing NAT inside a single L2 domain (vlan)
Replies: 3
Views: 541

Re: Doing NAT inside a single L2 domain (vlan)

You should route that public /24 to the customer. So instead of your router serving as the gateway for "his" public /24, you will instead route that entire /24 to his routers IP. That way he can terminate that public /24 on his own router, and do with it as he pleases. He would also be able to route...
by tomaskir
Thu Sep 14, 2017 5:17 pm
Forum: Announcements
Topic: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!
Replies: 109
Views: 29331

Re: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!

Any news on the LHG 60? We really need those in our network :) Wireless Wire is our first 60GHz product, LHG series will follow. Please give this kit a chance - performance will pleasantly surprise You. Its not that it's missing performance, we have some 200-300 meter links we would really like to ...
by tomaskir
Thu Sep 14, 2017 4:31 pm
Forum: Announcements
Topic: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!
Replies: 109
Views: 29331

Re: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!

Any news on the LHG 60?

We really need those in our network :)
by tomaskir
Thu Sep 14, 2017 2:05 pm
Forum: General
Topic: Backup mikrotik configurations
Replies: 10
Views: 1841

Re: Backup mikrotik configurations

Unimus is not a cloud software, you run it locally on your servers.
Unless you stick it in the cloud.
Touché :D
by tomaskir
Thu Sep 14, 2017 2:04 pm
Forum: General
Topic: IPsec Performance
Replies: 16
Views: 9528

Re: IPsec Performance

Hi! Could you help me with speed limit IPsec Traffic on RB/951G-2HnD if we use SHA-1 AES-256 Group2 (1024-bits)?
Which speed will handle its with aes256?
Here is a hAP AC IPSec performance test:
viewtopic.php?f=2&t=99975

You can expect 951G to do about 20% less.
by tomaskir
Thu Sep 14, 2017 3:19 am
Forum: General
Topic: Backup mikrotik configurations
Replies: 10
Views: 1841

Re: Backup mikrotik configurations

Have a look at https://unimus.net/
No thanks. Only interested in local solutions.
Unimus is not a cloud software, you run it locally on your servers.
by tomaskir
Thu Sep 14, 2017 3:00 am
Forum: General
Topic: If distance and scope are the same value, how will the default gateway be determined?
Replies: 2
Views: 590

Re: If distance and scope are the same value, how will the default gateway be determined?

Scope is used for reverse route lookup, so if a route does not need to be reverse looked-up, scope is not used. For your use-case, just adjust the distance as needed. Routes are resolved by specific-ness (more specific mask always wins), then by distance (lower distance wins). As mentioned previousl...
by tomaskir
Fri Apr 21, 2017 7:12 pm
Forum: General
Topic: New OID for CPU
Replies: 7
Views: 4590

Re: New OID for CPU

It is simple: .1.3.6.1.2.1.25.3.3.1.2 is a standards based OID (coming from the host mgmt MIB). The MIB specifies: The average, over the last minute, of the percentage of time that this processor was not idle. Implementations may approximate this one minute smoothing period if necessary. Meaning the...
by tomaskir
Mon Nov 28, 2016 7:53 pm
Forum: General
Topic: MPLS PPPoE
Replies: 3
Views: 666

Re: MPLS PPPoE

There is also a video that goes with it, it might help you if you only have the .pdf:
https://www.youtube.com/watch?v=Q8AF-Srulmk
by tomaskir
Fri Sep 30, 2016 1:31 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 75242

Re: v6.38rc [release candidate] is released

I see my LLDP peers in the "/ip neighbour show" table on RouterOS. They don't have any info other than mac-address and IP (Mikrotik devices show software-id, version, etc.)
Neither of the 2 switches connected to my test MikroTik show up over LLDP in its "/ip neighbor print detail".
by tomaskir
Fri Sep 30, 2016 1:12 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 75242

Re: v6.38rc [release candidate] is released

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.

And of course LLDP data it not in SNMP either...
by tomaskir
Fri Sep 30, 2016 12:56 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 75242

Re: v6.38rc [release candidate] is released

Where can I configure LLDP, I cant find anything related to it in "/ip neighbor" or anywhere else.
by tomaskir
Thu Apr 14, 2016 2:53 pm
Forum: General
Topic: LLDP
Replies: 126
Views: 42959

Re: LLDP

Please do not forget to implement LLDP MIB in SNMP, I think having LLDP information available over SNMP is a crucial feature for everyone.
by tomaskir
Fri Oct 30, 2015 2:22 pm
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7539

Re: info CCR1072-1G-8S+

We also have quite a few CCRs deployed, and have not had issues. If you know what you are doing, and doing everything properly (test config changes and version upgrades in a lab before going live), you should not have issues. You will find that many people that complain either dont know what they ar...
by tomaskir
Wed Oct 28, 2015 6:56 pm
Forum: General
Topic: router is trying to connect to this after been rebooted?
Replies: 4
Views: 822

Re: router is trying to connect to this after been rebooted?

Seems like "/ip cloud" auto time set, or "/system clock" auto time-zone detection.

You can disable both.
by tomaskir
Mon Oct 26, 2015 5:23 pm
Forum: General
Topic: info tx/rx rate show in new terminal
Replies: 2
Views: 931

Re: info tx/rx rate show in new terminal

Be careful, looking at a one-off snapshot of current traffic on interface is NOT at all precise. For example, you take a snapshot every 10s, and both snapshots show 10kbps traffic. But this is totally un-precise, what if in-between, the traffic was 5mbps? Do it the same way SNMP does, take the count...
by tomaskir
Mon Oct 26, 2015 2:36 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs hex
Replies: 5
Views: 2191

Re: RB850Gx2 vs hex

It is not that the 850Gx2 doesnt supports fast-path, its that the tests were done before fast-path support was in RouterOS. (since 850Gx2 is an older product then hEX - and MikroTik apparently didnt update the test results on the 850Gx2 page) 850Gx2 fully supports fast path, and will always be quite...
by tomaskir
Mon Oct 12, 2015 11:48 am
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 203
Views: 37327

Re: v6.33rc release candidate (final testing)

Confirming reboot loop on CCR1036 and CCR1009.
by tomaskir
Fri Oct 02, 2015 1:19 pm
Forum: Wireless Networking
Topic: Poe swtich : Hp 1910-8g-Poe (180watt) + netmetal always poweroff
Replies: 7
Views: 1014

Re: Poe swtich : Hp 1910-8g-Poe (180watt) + netmetal always poweroff

NetMetals only support passive PoE, they do NOT support .3at/.3af.

Check here:
http://routerboard.com/RB921UAGS-5SHPacT-NM
802.3af support no
by tomaskir
Wed Sep 23, 2015 4:56 pm
Forum: General
Topic: BGP TTL protection per RFC 3682
Replies: 2
Views: 1271

Re: BGP TTL protection per RFC 3682

I know this is not exactly what you are looking for, but you can change the TTL of any packets from your MikroTik using Mangle.

This work-around could be used at least temporarily to achieve what you describe.
by tomaskir
Mon Sep 21, 2015 6:04 pm
Forum: General
Topic: Telnet to 161 for snmp causes router to lock up
Replies: 3
Views: 553

Re: Telnet to 161 for snmp causes router to lock up

Did you make a support ticket?

If not, please make a support ticket by mailing to support@mikrotik.com
by tomaskir
Mon Sep 14, 2015 3:39 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208308

Re: Feature requests

Add option to define in radius configuration tab, IP by which will be sending always request to Radius server I have 30 IP's and MT always is sending request to radius server via first IP. Sometimes something is wrong and MT is trying send request via other IP. Problem is that on radius server i ha...
by tomaskir
Fri Sep 11, 2015 12:30 pm
Forum: General
Topic: Training: I'd like to be a certified trainer.
Replies: 1
Views: 685

Re: Training: I'd like to be a certified trainer.

Contant training@mikrotik.com, they will be glad to assist you.
by tomaskir
Thu Sep 10, 2015 5:59 pm
Forum: RouterBOARD hardware
Topic: RB1200 low bandwidht/high latency on some ports
Replies: 4
Views: 814

Re: RB1200 low bandwidht/high latency on some ports

Yes, the problems with 9-10 were with jitter, lower speed, and possible packet-loss.

I have never seen issues on ether2 on RB1200, and as you can see from forum searches, noone else complains either.
by tomaskir
Thu Sep 10, 2015 5:49 pm
Forum: RouterBOARD hardware
Topic: RB1200 low bandwidht/high latency on some ports
Replies: 4
Views: 814

Re: RB1200 low bandwidht/high latency on some ports

RB1200 is no longer sold for about 2 years now.

It had BAD issues with ether9 and ether10, avoid those ports.
Rest of the ports were good, it was a good board as long as you didnt use 9-10.

We still have many deployed, kicking hard without any issue (again we are not using ports 9-10).
by tomaskir
Mon Sep 07, 2015 6:06 pm
Forum: General
Topic: Reverse NAT or WAN NAT Redirection on RouterOS
Replies: 3
Views: 1105

Re: Reverse NAT or WAN NAT Redirection on RouterOS

Here you go, this should give you all required info to solve it:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
by tomaskir
Mon Sep 07, 2015 11:52 am
Forum: Announcements
Topic: v6.30.4 bugfix release
Replies: 104
Views: 26638

Re: v6.30.4 bugfix release

Found a minor bug in 6.30.4, easy to duplicate.

Winbox 3rc12
RB1100AHx2

Control B does not work to bring up comments. Works fine on RB2011iL

Cheers
Ctrl+M is the shortcut for comments...
by tomaskir
Thu Sep 03, 2015 6:49 pm
Forum: General
Topic: Load Balance Incoming Connection Issues - Similar IPs - Connect from Home to Work.
Replies: 2
Views: 496

Re: Load Balance Incoming Connection Issues - Similar IPs - Connect from Home to Work.

You do not have proper mangling on WAN->Router and WAN->LAN connections.
A connection initiated on a certain ISP MUST BE replied to using the same ISP.

Go over this presentation, it will explain more:
https://www.youtube.com/watch?v=67Dna_ffCvc
by tomaskir
Mon Aug 31, 2015 10:31 pm
Forum: RouterBOARD hardware
Topic: RBmAP2n - system reset removes files???
Replies: 2
Views: 1328

Re: RBmAP2n - system reset removes files???

Read the "Warning" section here:
http://wiki.mikrotik.com/wiki/Manual:System/File

So on devices with "flash" directory, put files you want to persist over a reboot/reset in that directory.
by tomaskir
Fri Aug 28, 2015 7:47 pm
Forum: General
Topic: hAP IPSec performance tests
Replies: 0
Views: 1519

hAP IPSec performance tests

Hi guys, I did some IPSec performance tests on the hAP today, sharing results here. Tests were performed using IPSec in tunnel mode. Performance tested using iperf in udp mode, routing through the tunnel. General configuration details: L2 FastPath used: Yes L3 FastPath used: No FastTrack used: No Fi...
by tomaskir
Wed Aug 05, 2015 6:12 pm
Forum: General
Topic: CRS & Bonding LACP
Replies: 11
Views: 2229

Re: CRS & Bonding LACP

No, CRS does NOT have hw support for bonding nor LACP.
by tomaskir
Mon Aug 03, 2015 8:27 pm
Forum: Beginner Basics
Topic: One pptp-server on each wan interface
Replies: 4
Views: 736

Re: One pptp-server on each wan interface

How can I bind pptp-server to a specific incoming interface? What should I do if I want to up two different ( authentication service ) pptp-servers on the mikrotik Use firewall to drop/allow connection only from specific interfaces. As for your 2nd question, can you please be more clear? What exact...
by tomaskir
Thu Jul 30, 2015 3:36 pm
Forum: Beginner Basics
Topic: Simple question 750GL dual wan
Replies: 3
Views: 617

Re: Simple question 750GL dual wan

Yes it is possible.
by tomaskir
Thu Jul 30, 2015 12:30 pm
Forum: Wireless Networking
Topic: Network Bandwidth Monitoring ?
Replies: 12
Views: 2058

Re: Network Bandwidth Monitoring ?

I really recommend a look at NetXMS. Its completely free (and open source) works great with MikroTik. We use it as a centralized Monitoring, Management and Alerting platform. We run all our analytics on it, use it for inventory management, IP space management, etc. Its got a bit of a learning curve,...
by tomaskir
Mon Jul 27, 2015 6:02 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 188219

Re: Cloud Hosted Router

Integrated it in my GNS3 instead of my current images, completely smooth and works very nicely.
Getting MikroTik working in GNS3 is now a 3-click process.

I am EXTREMELY happy with this, very nice job MikroTik, major props for this!
by tomaskir
Mon Jul 27, 2015 5:57 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 188219

Re: Cloud Hosted Router

So, the vmdk is already a 64bit build.

Cant run it using i386, only runs on a x64 VM.

Very nice!
by tomaskir
Sat Jul 25, 2015 8:45 pm
Forum: Announcements
Topic: v6.30.2 bugfix release
Replies: 148
Views: 38191

Re: v6.30.2 bugfix release

I just upgraded our company's CCR1036-8G from 6.3 to 6.30.2 and then upgraded the Firmware from 3.10 to 3.27. Since upgrading our PPTP VPN connections are dropping randomly with an error "CCP lost compression got our of sync: disabling compression" then the next message is "terminating... - Encrypt...
by tomaskir
Thu Jul 23, 2015 10:30 am
Forum: RouterBOARD hardware
Topic: Serial number oid via snmp...
Replies: 9
Views: 3390

Re: Serial number oid via snmp...

If not mistaken you using snmp walk right, then it may go to your routerboard but not for all...
i have different version of the RouterOS and non of them success to read...
What version of RouterOS do you have?
by tomaskir
Wed Jul 22, 2015 6:47 pm
Forum: RouterBOARD hardware
Topic: Serial number oid via snmp...
Replies: 9
Views: 3390

Re: Serial number oid via snmp...

.1.3.6.1.4.1.14988.1.1.7.3.0 works for me for Serial number.
Remember that x86 RouterOS doesnt have serial number.

What RouterOS version are you using?
by tomaskir
Wed Jul 22, 2015 9:57 am
Forum: Announcements
Topic: v6.30.x bugfix release
Replies: 136
Views: 33702

Re: v6.30.1 bugfix release

Winbox ignores tick "IP - UPnP - Show Dummy Rule" - they always are in NAT tab. Could you fix it? (Or please give an advice how to report this annoying thing?)
Thanks.
Send the report to support@mikrotik.com
by tomaskir
Mon Jul 20, 2015 12:35 pm
Forum: General
Topic: Login problem - bad rule
Replies: 2
Views: 386

Re: Login problem - bad rule

Click on the MAC address of your device in Winbox to connect using MAC-Winbox.

This is a pure L2 connection, so is not blocked by Firewall.

Then do all the changes through that.
by tomaskir
Wed Jul 15, 2015 4:34 pm
Forum: General
Topic: [BUG?] 6.30 - Getting wireless frequency no longer works
Replies: 1
Views: 407

Re: [BUG?] 6.30 - Getting wireless frequency no longer works

6.30 has new wireless-fp package, "frequency" parameter is no longer available.

You can use this however:
{
/interface wireless
:local tTest [monitor wlan1 once as-value]
:put [:pick ($tTest->"channel") 0 4]
}
by tomaskir
Wed Jul 15, 2015 4:08 pm
Forum: Wireless Networking
Topic: Finding which channel has 'auto' selected
Replies: 2
Views: 563

Re: Finding which channel has 'auto' selected

/interface wireless monitor wlan1
by tomaskir
Wed Jul 15, 2015 1:41 pm
Forum: Announcements
Topic: v6.30.x bugfix release
Replies: 136
Views: 33702

Re: v6.30.1 bugfix release

Awesome job on the new release system!

Thank you for doing it!
by tomaskir
Tue Jul 14, 2015 2:43 pm
Forum: General
Topic: How to flush a single SA?
Replies: 2
Views: 642

Re: How to flush a single SA?

If you have multiple peers, you can kill a single peer in /ip ipsec remote-peers (which will ofc flush SAs of that peer).

Its atleast a little better then flusing all SAs.
by tomaskir
Mon Jul 13, 2015 1:15 pm
Forum: Wireless Networking
Topic: [bug] wireless-fp and CLI tab-completion not working
Replies: 2
Views: 500

[bug] wireless-fp and CLI tab-completion not working

With wireless-fp (which is now the default wireless package) tab-completion for the "country" doesnt work. /interface wireless> set [find name=wlan1] country=[TAB] Will NOT give you all available countries. This means there is no way for you to see in the CLI all the available countries for selectio...
by tomaskir
Thu Jul 09, 2015 4:08 pm
Forum: General
Topic: 6.30 ipsec-policy matcher question
Replies: 7
Views: 1258

Re: 6.30 ipsec-policy matcher question

Now added to fw manual. There you will find difference between ipsec and none Just a final confirmation, so basically the settings are: ipsec-policy=in,none - incoming packets matched by any policy before decryption ipsec-policy=in,ipsec- incoming packets matched by any policy after decryption ipse...
by tomaskir
Thu Jul 09, 2015 3:04 pm
Forum: General
Topic: 6.30 ipsec-policy matcher question
Replies: 7
Views: 1258

6.30 ipsec-policy matcher question

Hi guys, Whats the difference between ipsec-policy=in,ipsec and ipsec-policy=in,none? Its not made clear in the new Manual article http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Allow_Only_Ipsec_Ecapsulated_Traffic Also the options are not yet described in the firewall Manual article http://wiki.mikr...
by tomaskir
Tue Jun 23, 2015 1:55 pm
Forum: RouterBOARD hardware
Topic: hEX lite, function of ports
Replies: 3
Views: 1009

Re: hEX lite, function of ports

All ports are totally equal and can be anything.
The labels are just how the router behaves with default (factory) config.

You can reconfigure the router to do anything.
by tomaskir
Tue Jun 23, 2015 10:48 am
Forum: General
Topic: ipsec and multiple ip addresses on interface
Replies: 5
Views: 1691

Re: ipsec and multiple ip addresses on interface

There is local-address in 6.27 too, I tried that, that doesn't help...

I also tried to add y.y.y.y/32 route to peer with pref-src=x.x.x.x. It doesn't work as well.
It works correctly for me even with 6.23.

Are you sure other NAT / Mangle rules are not interfering?
by tomaskir
Fri Jun 19, 2015 5:29 pm
Forum: General
Topic: ipsec and multiple ip addresses on interface
Replies: 5
Views: 1691

Re: ipsec and multiple ip addresses on interface

Yes, using 6.29.1, you can specify IP address used per-peer.
/ip ipsec peer set 0 local-address=x.x.x.x
by tomaskir
Fri Jun 19, 2015 2:57 pm
Forum: General
Topic: Optimize WLAN Bridge as Low Latency connection for DSL Bonding
Replies: 12
Views: 2079

Re: Optimize WLAN Bridge as Low Latency connection for DSL Bonding

Nstream will be the best option for lowest latency (if like you mentioned, throughput is secondary).
by tomaskir
Fri Jun 19, 2015 12:17 pm
Forum: General
Topic: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)
Replies: 18
Views: 5276

Re: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)

You have something configured wrong then. 1500 works without a problem. Client config: /ppp profile add change-tcp-mss=no name=pppoe use-compression=no use-encryption=no use-ipv6=no use-mpls=no \ use-vj-compression=no /interface pppoe-client add disabled=no interface=ether1 keepalive-timeout=10 max-...
by tomaskir
Thu Jun 18, 2015 12:31 pm
Forum: General
Topic: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)
Replies: 18
Views: 5276

Re: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)

PPPoE client supports 1500 MTU in v6.x

Support for MTU >1500 is not there, but 1500 is supported.
/interface pppoe-client add interface=ether1 max-mtu=1500 max-mru=1500
by tomaskir
Wed Jun 17, 2015 1:47 pm
Forum: General
Topic: Mikrotik Hotspot Manager [beta]
Replies: 44
Views: 23462

Re: Mikrotik Hotspot Manager [beta]

The link isn't working :? :?
This thread is 9 years old...
This is the UserManager ... you can get the package and install it in your MikroTik.

Do NOT bump old threads.

Can this please be locked?
by tomaskir
Wed Jun 17, 2015 1:45 pm
Forum: The Dude
Topic: List of limitations/bugs/fixes/todo in The Dude 4.0b3?
Replies: 3
Views: 1757

Re: List of limitations/bugs/fixes/todo in The Dude 4.0b3?

4.0b3 uses an embedded sqlite DB to store things in. As soon as the DB file is larger then 2GB, you are screwed (that is the limit on the old sqlite drivers Dude 4.0b3 is using). There are ways to recover - includes deleting all historical data. You however have to manually dump (export) the sqlite ...
by tomaskir
Wed Jun 17, 2015 12:21 pm
Forum: General
Topic: Error in "Current Firmware Version" in system/routerboard?
Replies: 6
Views: 1034

Re: Error in "Current Firmware Version" in system/routerboard?

Yes, some of the newer units update firmware automatically.

After you reboot for ROS update, you will see the standard firmware update message in the log, and after another reboot, you will have newest firmware automatically.
by tomaskir
Wed Jun 17, 2015 12:20 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 3151

Re: Packet gets lost: how to debug?

Well, without getting access to the system and playing with it directly, I dont see why it doesnt work.

You can contact me at tomas[at]atris[dot]sk if you want more direct help.
Or maybe someone else can help you.
by tomaskir
Wed Jun 17, 2015 10:13 am
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 3151

Re: Packet gets lost: how to debug?

Post your "/ip rou exp" please. There are 2 things I can see happening: 1) routing engine dropping packets because of no route or a blackhole route 2) packets are arriving with TTL of 1, therefore are being dropped I also advise sniffing the traffic (there is an action in prerouting that can do that...
by tomaskir
Tue Jun 16, 2015 6:59 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 3151

Re: Packet gets lost: how to debug?

You mentioned in your previous posts you can properly see the return traffic in mangle pre-routing: prerouting in:ether1-gateway out:(none), src-mac e4:48:ab:ab:ab:ab, proto ICMP (type 8, code 0), 10.5.1.14->10.0.10.2, len 84 This means the encrypted traffic is properly coming in and being decrypted...
by tomaskir
Tue Jun 16, 2015 5:02 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 3151

Re: Packet gets lost: how to debug?

The addresses being incorrect and missing incoming ipsec firewall rule was a copy-paste mistake on my end. Sorry for the confusion. That is why I said it would not work with the previously posted config. I can also confirm traffic is arriving at 10.5.1.14 when pinging from 10.0.10.2. Replies from 1...
by tomaskir
Tue Jun 16, 2015 4:11 pm
Forum: General
Topic: using snmp v3 v3.20
Replies: 6
Views: 5345

Re: using snmp v3 v3.20

what is the difference between SECUIRITY=PRIVATE VS SECURITY=AUTHORIZED ?
Do NOT bump a 4 years old topic.

Regarding your quesion, watch this presentation and you can learn all about SNMP an SNMP in MikroTik:
https://www.youtube.com/watch?v=McUCYuy9Cv0
by tomaskir
Tue Jun 16, 2015 4:08 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 3151

Re: Packet gets lost: how to debug?

First of all, from these exports, your IPSec should not work at all, since the policies dont match the peers: /ip ipsec peer add address=54.239.63.154/32 ... add address=54.239.63.155/32 ... /ip ipsec policy add ... sa-dst-address=54.239.63.111 ... add ... sa-dst-address=54.239.63.222 ... add ... sa...
by tomaskir
Tue Jun 16, 2015 3:06 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 3151

Re: Packet gets lost: how to debug?

Post your export of:
/ip ipsec exp
/ip fi filt exp
/ip fi nat exp
/ip fi mang exp
/ip rou exp
by tomaskir
Mon Jun 15, 2015 3:52 pm
Forum: Beginner Basics
Topic: OID SNMP
Replies: 1
Views: 3034

Re: OID SNMP

Go over the data in this presentation:
https://youtu.be/McUCYuy9Cv0

It will give you all useful OIDs and what is located where.
by tomaskir
Mon Jun 15, 2015 12:50 pm
Forum: General
Topic: Set Admin Password via Config File (Flashfig)
Replies: 8
Views: 1411

Re: Set Admin Password via Config File (Flashfig)

/user set [/user find name="admin"] password=123456
by tomaskir
Tue Jun 09, 2015 11:54 am
Forum: Announcements
Topic: v6.29 released
Replies: 193
Views: 49671

Re: v6.29 released

Hi, I think this is a bug or something can't say cleary. Problem is when change SIM card for RB922 or RB912 with RouterOS v6.29.1. Have 2 SIM card with different ISP. Another have PIN code other not have PIN code. When first card witch have PIN code everything works wine, but when i change card to ...
by tomaskir
Tue Jun 09, 2015 11:48 am
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 5763

Re: VPLS/MPLS via ospf in wireless network

1508 is however correct if you need to deliver full frames (1500) in a pppoe session inside of the vpls tunnel.

Which is what the presentation was dealing with.
by tomaskir
Mon Jun 08, 2015 10:46 am
Forum: Announcements
Topic: v6.29 released
Replies: 193
Views: 49671

Re: v6.29 released

@normis
I have managed to reproduce a very rare and annoying bug [Ticket#201503206600075]

It will go away if I reboot the device.
Could someone from support please look at this so I can give you guys SSH access?
I cant keep the device in this state for long, since it needs to be used.
by tomaskir
Tue Jun 02, 2015 11:27 am
Forum: General
Topic: Winbox 3 RC
Replies: 639
Views: 124025

Re: Winbox 3 RC

It was announced before somewhere, that single letter shortcuts are removed, because there was a risk of accidentaly removing, disabling, etc. We will add shift or something to these keys Yes, I read that and I understand why that was done for remove/disable etc. But comment was not mentioned. Comm...
by tomaskir
Tue Jun 02, 2015 10:05 am
Forum: General
Topic: Winbox 3 RC
Replies: 639
Views: 124025

Re: Winbox 3 RC

The C button no longer works for me to set comments in RC10.

Is this also happening for others?
by tomaskir
Thu May 28, 2015 4:25 pm
Forum: General
Topic: "no-mark" as default mark to all connections and traffic
Replies: 19
Views: 7663

Re: "no-mark" as default mark to all connections and traffic

Very useful and it significantly reduces complexity :) . I just came across the need for a default routing-mark=no-mark as well which is not implemented as of now (v6.28) :(
This post is from 2009.

This is already working as described in 6.28.

@MirkoTik - Please lock this topic.
by tomaskir
Mon May 25, 2015 12:58 pm
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 5763

Re: VPLS/MPLS via ospf in wireless network

Are you using nv2 for wireless?
by tomaskir
Mon May 25, 2015 12:23 pm
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 5763

Re: VPLS/MPLS via ospf in wireless network

1500 is the correct L3 and L2 MTU on the VPLS interface in your test scenario. Remember that MTU (L3 MTU) in MKT is with the data, L4 and L3 headers counted in. Calculation of MTU from the point of view of the VPLS interface: 1472 data + 8 icmp header + 20 ip header = 1500 L3 MTU for the VPLS interf...
by tomaskir
Mon May 25, 2015 11:50 am
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 5763

Re: VPLS/MPLS via ospf in wireless network

Hi, Well, that works, but I have read somewhere that the vpls interface will fragment the package anyway, due that I can ping whit 1500 packetsize as well. Eth header 14, MPLS 4, VPLS ID 4, VPLS 4, IP header 20 + data 1500 + ping header 8 = 1554 How does this work ? ? ? Yes, VPLS interface will fra...
by tomaskir
Fri May 22, 2015 7:07 pm
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 5763

Re: VPLS/MPLS via ospf in wireless network

Yes, your calculations are correct, and it will work. Just remember to set the L2MTU correctly on all interfaces on all devices. As for how to test it: Simply create a VPLS tunnel between 2 routers, and try to ping within that tunnel with 1472 packet size with do-not-fragment set. (1472 because ICMP...
by tomaskir
Tue Apr 28, 2015 2:56 pm
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 140167

Re: FastTrack - New feature in 6.29

Question - if I have no rules in forward chain - only in input chain (typical transit router) - will FastTrack be active? IMO, if there are no rules in a default chain, that chain should automatically be FastTracked (so I dont have to add rules now to tons of transit routers to take advantage of Fas...
by tomaskir
Tue Apr 28, 2015 12:35 pm
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 140167

Re: FastTrack - New feature in 6.29

I will wait for 6.29 final before trying this, but in your rules you add a fasttrack rule and then an accept rule. What happens if there is no accept rule. Doesn't the fasttrack rule here do exactly this - passthrough all packets matched by it ? Yes, but accept is also needed - it was mentioned in ...
by tomaskir
Fri Apr 24, 2015 6:19 pm
Forum: Announcements
Topic: RouterOS v6.28 released
Replies: 229
Views: 62091

Re: RouterOS v6.28 released

Router RB850Gx2 hangs on reboot if serial port is removed from the /system console [admin@RB850Gx2] > /system console print Flags: X - disabled, U - used, F - free # PORT TERM RouterBOOT booter 3.22 RouterBoard 850Gx2 CPU frequency: 533 MHz Memory size: 512 MiB NAND size: 512 MiB Press any key with...
by tomaskir
Fri Apr 24, 2015 12:17 pm
Forum: General
Topic: Нow can i load-balance vpn-tunnel traffic over two links?
Replies: 8
Views: 2276

Re: Нow can i load-balance vpn-tunnel traffic over two links?

How ECMP checks the current link load before send the traffic to this link? There is no load checking. ECMP simply routes each packet over one of the available gateways in a round-robin fashion. There is a catch however - routing decisions are cached by the kernel, so actually, ECMP is more like pe...
by tomaskir
Wed Apr 22, 2015 2:40 pm
Forum: Announcements
Topic: RouterOS v6.28 released
Replies: 229
Views: 62091

Re: RouterOS v6.28 released

Problem with e-mail client still exists.
If you use TLS then the second EHLO, which is normally issued after STARTTLS, is malformed and rejected by postfix with error "Helo command rejected: invalid ip address"
Did you report this to support@mikrotik.com?
by tomaskir
Tue Apr 21, 2015 2:43 pm
Forum: The Dude
Topic: The Dude Alternatives
Replies: 26
Views: 27585

Re: The Dude Alternatives

Thanks. Do you use an agent for those Windows servers? I was hoping to find a way to monitor disk space and memory usage through snmp but that's been more difficult than expected. No, we monitor all using SNMP. Its the same as in The Dude, this is all from the Storage table at OID .1.3.6.1.2.1.25.2...
by tomaskir
Fri Apr 17, 2015 5:01 pm
Forum: General
Topic: v6.28 will be released this week!
Replies: 72
Views: 19027

Re: v6.28 will be released this week!

We have plans to release v6.28 during this week.
Really this week?
Better late than with bugs!
by tomaskir
Wed Apr 15, 2015 5:37 pm
Forum: General
Topic: BGP4-MIB for SNMP monitoring
Replies: 2
Views: 1487

Re: BGP4-MIB for SNMP monitoring

+1 for BGP-MIB

STP-MIB would also be really useful :)
by tomaskir
Mon Apr 13, 2015 5:15 pm
Forum: General
Topic: Нow can i load-balance vpn-tunnel traffic over two links?
Replies: 8
Views: 2276

Re: Нow can i load-balance vpn-tunnel traffic over two links?

How can i use ECMP with IPsec VPN-tunnel? You cant use it with IPSec in tunnel node. You need to manipulate the routing table, which IPSec tunnel mode policies do not use. Use IPSec in transport mode with a different tunneling protocol (like GRE or L2TP), which will give you an interface, and you c...
by tomaskir
Mon Apr 13, 2015 12:55 pm
Forum: General
Topic: The Radius packets can't pass over ipsec with RouterOS
Replies: 5
Views: 868

Re: The Radius packets can't pass over ipsec with RouterOS

Which IP is the Radius server and which IP is the radius client? Because you mention The packets will be send from 112.25.145.100, but not encrypted and not pass over Ipsec. If packets from 112.25.145.100 are not encrypted, you are showing us exports from the wrong router (the router hosting 192.168...
by tomaskir
Mon Apr 13, 2015 12:47 pm
Forum: General
Topic: Problem with SSH client
Replies: 2
Views: 569

Re: Problem with SSH client

It would be helpful if you actually described what the problem is.
by tomaskir
Mon Apr 13, 2015 12:45 pm
Forum: Beginner Basics
Topic: Copying Config to Different Model of Mikrotik Router Board
Replies: 2
Views: 799

Re: Copying Config to Different Model of Mikrotik Router Board

Just a side node, if you have ROS v5, use
/export compact file=name.rsc
If you have ROS v6, use
/export file=name.rsc
by tomaskir
Fri Apr 10, 2015 3:51 pm
Forum: Beginner Basics
Topic: IPSec/L2TP help
Replies: 2
Views: 624

Re: IPSec/L2TP help

Its a known issue with MikroTik IPSec.
Its actually an issue in MikroTik NAT-T functionality.

You can not have multiple clients from one public IP.

Consider building a site-to-site tunnel, or use a different tunneling protocol, such as SSTP.
by tomaskir
Fri Apr 10, 2015 12:03 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 51042

Re: RB3011 Block diagram?

This is the CPU that we will use for RB3011: http://www.anandtech.com/show/7526/qualcomm-atheros-announces-new-internet-processor-lineup-ipq8064-and-ipq8062 Can you as well confirm that both switch-chips have a full-duplex 2Gbps link to the CPU? And if the HW acceleration support for AES is going t...
by tomaskir
Thu Apr 09, 2015 12:03 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 51042

Re: Re:

its likely one of "off the shelf" inexpensive A9 twin-core SoC. which explain relatively small performance (for twin-core 1.2Ghz chip). a12/a17 do about 42% more performance than A9 (on same clock on similar die) and a53 and a57 do about 2.5x and 4x times (in peak not sustaine/stressed)more perform...
by tomaskir
Wed Apr 08, 2015 7:30 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 51042

Re: RB3011 Block diagram?

Oh wow, that would be a big upgrade over everything with a switch chip that they used before. Even the CCR1009 has a 1Gbit link internally to the 4x1Gbps connected through the switch chip. Are you sure he said 2Gbps per switch chip link, or maybe he meant 1Gbps to each switch chip so 2Gbps in total...
by tomaskir
Wed Apr 08, 2015 4:28 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 51042

Re:

And what about hardware aes support?
Since CPU brand/type is currently unknown, if it supports aes hw acceleration is also unknown.
by tomaskir
Wed Apr 08, 2015 2:52 pm
Forum: General
Topic: Нow can i load-balance vpn-tunnel traffic over two links?
Replies: 8
Views: 2276

Re: Нow can i load-balance vpn-tunnel traffic over two links?

A much better solution is to use ECMP load-balancing over the VPN links. If you balance on L2 (using EoIP), you will get huge problems with out-of-order packet delivery, fragmentation, and a lot of other things. Using ECMP also has its disadvantages (very similar to LACP), but overall, is a better s...
by tomaskir
Wed Apr 08, 2015 11:55 am
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 51042

Re: RB3011 Block diagram?

I asked Janis about the internals at the MUM, here is a few clarifications:

2 switch chips, each 5x 1GBit ports.
Each switch chip connected to CPU with a 2GBit link.

1x MiniPCI-E for wireless cards.

CPU brand/type unknown.
by tomaskir
Wed Apr 08, 2015 11:49 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208308

Re: Feature requests

hi if it is possible to have the pppoe server listens to serveral interfaces instead of one interface .. i have 7 vlans and i have to have 7 pppoe servers for each vlan interface it would be nice to have one pppoe server for 7 interfaces Create a bridge, use split bridge horizon to isolate the port...
by tomaskir
Sat Mar 21, 2015 1:15 am
Forum: General
Topic: LLDP
Replies: 126
Views: 42959

Re: LLDP

NMSs also use it to build topology tables (and maps).

It would be EXTREMLY useful for this purpose to us.
by tomaskir
Wed Mar 11, 2015 6:06 pm
Forum: General
Topic: RouterOS 6.17 - Disabled Radius Login
Replies: 2
Views: 969

Re: RouterOS 6.17 - Disabled Radius Login

I had this problem before.

NetInstall the device, that fixed it for me.
by tomaskir
Mon Mar 09, 2015 5:10 pm
Forum: General
Topic: SNMP v3 error with new Cacti Install Router os 6.18
Replies: 3
Views: 865

Re: SNMP v3 error with new Cacti Install Router os 6.18

There have been issues with SNMP in a few older versions...

What I recommend:
Use latest RouterOS with latest firmware (RouterBOOT).

I have had issues where SNMP didnt work because RouterBOOT was older version, even when RouterOS was newest version.
by tomaskir
Mon Mar 09, 2015 12:09 pm
Forum: The Dude
Topic: The Dude Alternatives
Replies: 26
Views: 27585

Re: The Dude Alternatives

how they interact with MikroTik?
You can use SNMP, same as in the Dude.
by tomaskir
Tue Mar 03, 2015 1:51 pm
Forum: Scripting
Topic: Setting admin password with netinstall configure script
Replies: 5
Views: 1484

Re: Setting admin password with netinstall configure script

/user set [/user find name="admin"] password="mypassword"
by tomaskir
Wed Feb 25, 2015 11:27 am
Forum: Announcements
Topic: v6.28 RC testing
Replies: 42
Views: 14852

Re: v6.28 RC testing

Ticket#2014122966000079
This is a bug with the route table not being available over SNMP.

Ticket#2014120866000733
This is a bug with VirtualAP showing inside SNMP Station Interface table (mtxrWlStatEntry)
by tomaskir
Mon Feb 23, 2015 7:21 pm
Forum: General
Topic: SNMP Returns Multiple Variables need help deciphering.
Replies: 5
Views: 1152

Re: SNMP Returns Multiple Variables need help deciphering.

There are InOctets and OutOctets for every interface...

So what you are seeing in there is for every interface on your router.
by tomaskir
Thu Feb 12, 2015 1:32 pm
Forum: Announcements
Topic: RouterOS v6.27 released
Replies: 273
Views: 100170

Re: RouterOS v6.27 released

Normis, can you please look at these: Ticket#2014122966000079 Ticket#2014120866000733 Ticket#2015020266000252 The first two are more feature requests than bugs. The latest is new, so not answered yet, but before our specialist has looked at it, it may be specific hardware problem or something else,...
by tomaskir
Thu Feb 12, 2015 11:55 am
Forum: Announcements
Topic: RouterOS v6.27 released
Replies: 273
Views: 100170

Re: RouterOS v6.27 released

Normis, can you please look at these:

Ticket#2014122966000079
Ticket#2014120866000733
Ticket#2015020266000252
by tomaskir
Thu Feb 05, 2015 5:11 pm
Forum: General
Topic: SNMP Rx Rate Tx Rate for Wired interfaces.
Replies: 3
Views: 1398

Re: SNMP Rx Rate Tx Rate for Wired interfaces.

Its in the standard ifMIB:
.1.3.6.1.2.1.2.2.1.5
by tomaskir
Thu Feb 05, 2015 1:48 pm
Forum: General
Topic: Tapatalk and Karma
Replies: 60
Views: 4840

Re: Tapatalk and Karma

Ok, so basicly what you are saying is: "We have decided on this because we like it and we are not willing to hear feedback. Instead we are going to reply with links to jokes and just ignore our user-base." Now Im fully aware that Im just expressing my opinions as well, and that most userbase might o...
by tomaskir
Thu Feb 05, 2015 1:15 pm
Forum: General
Topic: Tapatalk and Karma
Replies: 60
Views: 4840

Re: Tapatalk and Karma

Alright, here we go: Problem 1) Forums are not properly sized on higher resolutions and about 40% of the screen space is wasted. This is using Win7, newest chrome, 1920x1080 screen. att1.JPG Problem 2) "Show x posts" buttons are hidden behind menus and places inconsistently. This adds additional cli...
by tomaskir
Thu Feb 05, 2015 12:07 pm
Forum: General
Topic: Tapatalk and Karma
Replies: 60
Views: 4840

Re: Tapatalk and Karma

Normis, all of these changes decrease my productivity on the forum.
Why are we sacrificing user-friendliness and usability to get a modern look?

We are even missing features which were present in the previous forums ("Show unread posts").
by tomaskir
Wed Feb 04, 2015 8:55 pm
Forum: General
Topic: Tapatalk and Karma
Replies: 60
Views: 4840

Re: Tapatalk and Karma

And since we are talking about this: Why are "Your posts" (old "Show my posts") and other post-related buttons in different places? ("Your posts" hidden behind my name menu and other post-related menus hidden behind "Forum" menut) Why are they even hidden behind menus? These are the buttons I use th...
by tomaskir
Wed Feb 04, 2015 8:47 pm
Forum: General
Topic: Tapatalk and Karma
Replies: 60
Views: 4840

Re: Tapatalk and Karma

And where is the "Show unread posts" button?

Also, where is the option to change to prosilver and subsilver themes?
(not in the user control panel)
by tomaskir
Fri Jan 30, 2015 3:14 pm
Forum: General
Topic: Resetting configuration on first boot
Replies: 2
Views: 757

Re: Resetting configuration on first boot

You can also use MAC-Telnet to connect to the device when you clear the config.

One example utility for Linux:
https://github.com/haakonnessjoen/MAC-Telnet

Debian/Ubuntu:
apt-get install mactelnet-client
by tomaskir
Fri Jan 30, 2015 2:33 pm
Forum: General
Topic: Change SNMP Port on RouterOS v6.22
Replies: 3
Views: 2618

Re: Change SNMP Port on RouterOS v6.22

In NAT on the router terminating the public IP, simply NAT the requests correctly:
PublicIP:SomePort -> LocalIP:161

/ip firewall nat add chain=dst-nat dst-address=publicip proto=udp dst-port=someport action=dst-nat to-address=localip to-port=161
by tomaskir
Fri Jan 30, 2015 2:24 pm
Forum: Beginner Basics
Topic: Step Up from the RB2011....?
Replies: 22
Views: 4772

Re: Step Up from the RB2011....?

750 series - up to 60 Mbit firewall / routing / NAT / QoS - up to 12 Mbit IPSec (aes128, md5) 951/2011 series - up to 120 Mbit using firewall / routing / NAT / QoS - up to 18 Mbit IPSec (aes128, md5) 1100AHx2 - up to 2 Gbit using firewall / routing / NAT / QoS - up to 550 Mbit IPSec (aes128, sha1) T...
by tomaskir
Fri Jan 30, 2015 2:18 pm
Forum: Beginner Basics
Topic: Create chains
Replies: 1
Views: 2038

Re: Create chains

Simply create a new firewall rule, and inside the chain option, write the new chain's name.
by tomaskir
Fri Jan 30, 2015 2:16 pm
Forum: General
Topic: Antivirus defs not updating on mikrotik 750
Replies: 7
Views: 1409

Re: Antivirus defs not updating on mikrotik 750

If manual update works and automatic update doesnt work, it has NOTHING to do with networking.

You do NOT need to forward any ports, these are all out-bound connections.
by tomaskir
Thu Jan 29, 2015 1:06 pm
Forum: General
Topic: Feature Request: DNS package
Replies: 13
Views: 3028

Re: Feature Request: DNS package

This has been requested many times for a long time now:
http://forum.mikrotik.com/viewtopic.php?f=19&t=85716

MikroTik seems not to care :(

Definatelly a +1
by tomaskir
Thu Jan 29, 2015 12:30 pm
Forum: Beginner Basics
Topic: Mikrotik L2TP client setup like as Windows connection
Replies: 2
Views: 650

Re: Mikrotik L2TP client setup like as Windows connection

You need to setup full L2TP/Ipsec, not just L2TP.

See this video:
http://tiktube.com/video/mIgH3hmodoLHnH ... tKlGonDpI=

There is a part in it on how to configure MikroTik as an L2TP/IPSec client.
by tomaskir
Wed Jan 28, 2015 5:13 pm
Forum: General
Topic: RB750GL Routing/NAT and PPPoE Peformance
Replies: 2
Views: 647

Re: RB750GL Routing/NAT and PPPoE Peformance

750 series - up to 60 Mbit firewall / routing / NAT / QoS - up to 12 Mbit IPSec (aes128, md5) 951/2011 series - up to 120 Mbit using firewall / routing / NAT / QoS - up to 18 Mbit IPSec (aes128, md5) 1100AHx2 - up to 2 Gbit using firewall / routing / NAT / QoS - up to 550 Mbit IPSec (aes128, sha1) T...
by tomaskir
Wed Jan 28, 2015 11:31 am
Forum: Virtualization
Topic: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard
Replies: 20
Views: 11950

Re: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard

Ha, well, I am flattered you would say this, but the truth is that I am not qualified to work on MetaROUTER. I have neither the requisite knowledge or experience engineering hypervisors. :) All I essentially did to come up with the kernel I did was to act as an "editor" of sorts, pulling in bits an...
by tomaskir
Tue Jan 27, 2015 3:28 pm
Forum: Virtualization
Topic: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard
Replies: 20
Views: 11950

Re: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard

Why hasnt MikroTik hired you yet to fix MetaROUTER? :(

Great job, with MKT would fix all of the current issues and we could all be happier...
by tomaskir
Mon Jan 26, 2015 6:14 pm
Forum: General
Topic: v6.26 will be released on 6th week of 2015, check the latest
Replies: 64
Views: 17722

Re: v6.26 almost ready for FULL RELEASE - please check lates

Ticket#2014122966000079
Ticket#2014120866000733

Please?
by tomaskir
Wed Jan 21, 2015 12:22 pm
Forum: General
Topic: Winbox 3 beta
Replies: 243
Views: 120039

Re: Winbox 3

We are already on beta12, so progress is going fast. It is much more stable than v2 ever was
So PLEASE PLEASE release that beta version?

Why keep us on beta3 which has many issues?
by tomaskir
Wed Dec 17, 2014 3:34 pm
Forum: General
Topic: Best load balancing method for 4 WAN links
Replies: 19
Views: 11241

Re: Best load balancing method for 4 WAN links

Hi ALL i reading your Load balance Bandwidth base Method(MUM_US12) http://mum.mikrotik.com/presentations/US12/tomas.pdf but i don't understand this i connect internet by PPPoe-Client(pppoe-out1,2,3) and I have to do anything at this stage ? thank you /ipfirewall address-list addaddress=1.1.1.0/24 l...
by tomaskir
Tue Dec 16, 2014 11:26 am
Forum: General
Topic: IPSec succeeds but L2TP fails to establish - client lonely
Replies: 13
Views: 9000

Re: IPSec succeeds but L2TP fails to establish - client lone

What version of RouterOS are you using?

Post export from:
/ip add
/ip ipsec
/ip fi
/ppp

Feel free to remove sensitive information.
by tomaskir
Fri Dec 05, 2014 12:04 pm
Forum: Announcements
Topic: 6.23 released!
Replies: 143
Views: 53925

Re: 6.23 released!

Bug with SNMP not enabling without a reboot from ticket [Ticket#2014112666000541] is also fixed.

Why is it not in the change-log? :(
by tomaskir
Wed Dec 03, 2014 4:50 pm
Forum: RouterBOARD hardware
Topic: 850Gx2 block diagram
Replies: 2
Views: 981

Re: 850Gx2 block diagram

But if I plug a GBit into ether1 and ether5, and want to run routing between them, I will only get 1GBit full duplex throughput, not 2GB full duplex, because realistically, there is only a single 1GBit link to the CPU, right?
by tomaskir
Mon Dec 01, 2014 1:35 pm
Forum: RouterBOARD hardware
Topic: 850Gx2 block diagram
Replies: 2
Views: 981

850Gx2 block diagram

Could the board block diagram please be posted to routerboard.com for 850Gx2? While we are at it, can the performance tables also be added? I know they are posted here in the forum, but please add them? What Im interested in: is ether1-ether5 on a single switch-chip or is ether1 direct-to-cpu? If it...
by tomaskir
Thu Nov 27, 2014 12:57 pm
Forum: Forwarding Protocols
Topic: VPLS L2MTU / PW-MTU calculation seems wrong
Replies: 6
Views: 3270

Re: VPLS L2MTU / PW-MTU calculation seems wrong

Where and how are you capturing the packets?

Can you draw a diagram of your setup, including where the packet capture device is?

Also please include /exports :)
by tomaskir
Thu Nov 27, 2014 12:43 pm
Forum: Forwarding Protocols
Topic: VPLS L2MTU / PW-MTU calculation seems wrong
Replies: 6
Views: 3270

Re: VPLS L2MTU / PW-MTU calculation seems wrong

The packet is transparently fragmented and re-constructed by the VPLS interface driver in RouterOS. If you set a do-not-fragment flag in ICMP, that only applies to routing (L3) logic. MPLS and VPLS are L2.5, they do NOT care about a ICMP do-not-fragment flag, and will happily fragment the frame anyw...
by tomaskir
Thu Nov 27, 2014 11:10 am
Forum: Forwarding Protocols
Topic: PPPoE over EOIP - better switch to VPLS?
Replies: 17
Views: 5803

Re: PPPoE over EOIP - better switch to VPLS?

Watch the presentation in my sig, as I mentioned earlier.

It goes into heavy detail on MTU with MPLS/VPLS and especially PPPoE over VPLS.
by tomaskir
Wed Nov 26, 2014 12:12 pm
Forum: General
Topic: Central management for authentification
Replies: 8
Views: 1881

Re: Central management for authentification

Use RouterOS Radius client for AAA.

As a server, I recommend FreeRadius.
by tomaskir
Fri Nov 21, 2014 11:14 am
Forum: General
Topic: Feature request: More RADIUS reply attributes
Replies: 5
Views: 1909

Re: Feature request: More RADIUS reply attributes

+1

Especially for PPP profile.
by tomaskir
Wed Nov 19, 2014 3:21 pm
Forum: The Dude
Topic: The Dude Alternatives
Replies: 26
Views: 27585

Re: The Dude Alternatives

Well, take a look at http://www.netxms.org, and will find an anternative that is like The Dude, really! Has anyone tested netxms in a large(r) environment? It's not very clear to me how I can create a structure/hierarchy with all servers and network components. We have NetXMS monitoring about 150 n...
by tomaskir
Wed Nov 19, 2014 1:51 pm
Forum: General
Topic: New forum look & feel
Replies: 64
Views: 8442

Re: New forum look & feel

Thank you, thank you!
subsilver2, welcome back.

Now im not neceserally against the new theme, just please improve it more. I think there have been enough coments in this whole thread to tell you what is wrong with it by now.
by tomaskir
Mon Nov 17, 2014 8:48 pm
Forum: Forwarding Protocols
Topic: PPPoE over EOIP - better switch to VPLS?
Replies: 17
Views: 5803

Re: PPPoE over EOIP - better switch to VPLS?

Watch the presentation in my sig.
by tomaskir
Mon Nov 17, 2014 8:43 pm
Forum: Forwarding Protocols
Topic: MTU problem only on router B - ospf/mpls/vpls based network
Replies: 6
Views: 2363

Re: MTU problem only on router B - ospf/mpls/vpls based netw

Hi Tomaskir, In my environment i think 1526 of mpls-mtu is enough becouse I don't have vlan. By the way I have a look to your presentation and in parallel I am in contact with mikrotik support. Remember that we have side 1 of infrastracture that work properly so I don't understand why this problem ...
by tomaskir
Fri Nov 14, 2014 9:00 pm
Forum: Beginner Basics
Topic: Load balancing(1calbe+wifi) and failover
Replies: 10
Views: 2108

Re: Load balancing(1calbe+wifi) and failover

Notification with email is easy, simply use netwatch to monitor the host which is used for failover based on recursive route lookup. Then if that host goes down, fire an email using the netwatch scripts. As for packet-loss, you have 2 options: 1) Write a script which monitors it for you and then swi...
by tomaskir
Fri Nov 14, 2014 6:34 pm
Forum: Beginner Basics
Topic: Load balancing(1calbe+wifi) and failover
Replies: 10
Views: 2108

Re: Load balancing(1calbe+wifi) and failover

For failover based on packet-loss, that is really hard to implement...

For failover on total link dropout (cant ping IP x over the link) I use this solution lately:
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting
by tomaskir
Fri Nov 14, 2014 2:20 pm
Forum: Forwarding Protocols
Topic: MTU problem only on router B - ospf/mpls/vpls based network
Replies: 6
Views: 2363

Re: MTU problem only on router B - ospf/mpls/vpls based netw

PPPoE encapsulated in VPLS needs 1530 MPLS MTU...

Check page 18 and 19 of the presentation linked in my sig.
by tomaskir
Fri Nov 14, 2014 9:37 am
Forum: General
Topic: New forum look & feel
Replies: 64
Views: 8442

Re: New forum look & feel

spacing is corrected readability of topic list improved post body text visibility improved and signature/title made lighter unread posts is back contrast improved with new color scheme Thank you, it is better now! A few things however: 1) Additional clicks and waiting for a menu to appear are still...
by tomaskir
Fri Nov 14, 2014 9:32 am
Forum: Beginner Basics
Topic: Tutorials?
Replies: 3
Views: 1273

Re: Tutorials?

CLI is very self-explanatory in MikroTik, if something is written in CLI, you can easily figure out how to configure it in GUI.

For all learning needs:
http://wiki.mikrotik.com
http://www.tiktube.com
by tomaskir
Thu Nov 13, 2014 6:50 pm
Forum: General
Topic: 6.22 released!
Replies: 151
Views: 54838

Re: 6.22 released!

i have yet to see them just simply ignore a genuine bug report which provided enough resources to actually replicate/solve the problem.
Then you have not been here long enough.

I could give you many ticket IDs which show differently...
by tomaskir
Thu Nov 13, 2014 6:47 pm
Forum: Beginner Basics
Topic: Mangle - Mark routing
Replies: 2
Views: 1087

Re: Mangle - Mark routing

Watch this:
http://tiktube.com/video/DofH3iFnjDJomG ... uKlEoLqHq=

The 2nd half of the presentation explains what you want to know.
by tomaskir
Thu Nov 13, 2014 6:46 pm
Forum: General
Topic: New forum look & feel
Replies: 64
Views: 8442

Re: New forum look & feel

The "View unread posts" is not gone - it's at the "Forum" menu on top, renamed to "View new posts" ("unread" is implied).
It is gone.
"View unread posts" and "View new posts" are 2 totally different functions.
"unread" is NOT implied, as "View new posts" shows posts already red.
by tomaskir
Thu Nov 13, 2014 5:37 pm
Forum: General
Topic: New forum look & feel
Replies: 64
Views: 8442

Re: New forum look & feel

Agree about all the above - I really dont like this too light and too bright color scheme. Also: 1) "View unread posts" functionality is gone. 2) All "View x posts" buttons now require one more click. Before they were right at the top. This is not much, but its an extra click, wait for manu to appea...
by tomaskir
Thu Nov 13, 2014 4:20 pm
Forum: General
Topic: IPSec Users | Use ldap from Windows AD?
Replies: 3
Views: 1880

Re: IPSec Users | Use ldap from Windows AD?

As mentioned before XAuth currently doesnt support Radius auth.

For other AAA needs against LDAP (AD DS), setup a NPS server (Windows Radius) and auth against that.
There are multiple topics on the forum about this, if you need help, post here.
by tomaskir
Thu Nov 13, 2014 12:52 pm
Forum: Beginner Basics
Topic: Load balancing(1calbe+wifi) and failover
Replies: 10
Views: 2108

Re: Load balancing(1calbe+wifi) and failover

Take a look at this.. it not only shows how to do this, but also explains step by step.

http://mum.mikrotik.com/presentations/US12/tomas.pdf
Here is the video for more explanation:
http://tiktube.com/video/DofH3iFnjDJomG ... uKlEoLqHq=
by tomaskir
Fri Nov 07, 2014 10:36 am
Forum: General
Topic: v6.21.1 released
Replies: 112
Views: 27564

Re: v6.21.1 released

On my RB1100AHx2 I got 40-60% unclassified CPU usage after upgrade (in idle). Downgrade to 6.20 brings it down to 0 - 0.2%. On other single core Atheros based boards, everything seems fine (750GL, 951G, Omnitik, CRS-125). Email support, seems like the same problem I linked in http://forum.mikrotik....