Community discussions

Search found 1092 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 22
by tomaskir
Fri Oct 26, 2018 3:01 pm
Forum: General
Topic: Any Chance of a test mode before applying the configuration
Replies: 7
Views: 339

Re: Any Chance of a test mode before applying the configuration

Safe-mode will do the same.

As soon as you lose management connection, it will revert the configuration to the point before safe-mode was engaged.
by tomaskir
Thu Oct 25, 2018 2:01 pm
Forum: General
Topic: Mass Managing Mikrotik
Replies: 11
Views: 1032

Re: Mass Managing Mikrotik

The Dude is a monitoring solution (NMS) - not configuration management. Let's say you want to change a password on 100 'Tiks, or find all 'Tiks running with wireless at freq. 5800 across the network. The Dude will not do that for you - that is the job of a Configuration Management (NCM) solution. Id...
by tomaskir
Wed Oct 24, 2018 4:51 pm
Forum: General
Topic: Mass Managing Mikrotik
Replies: 11
Views: 1032

Re: Mass Managing Mikrotik

Indeed, take a look at Unimus . We do Mass Config Push, upgrades across the network, etc. You can use this to push changes to firewalls across many routers, upgrade RouterOS or RouterBOOT, etc. You will also get configuration change notifications (so anytime a config of any device changes, you get a...
by tomaskir
Thu Aug 30, 2018 7:40 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 2680

Re: New wave of Winbox vuln. attacks

@sajibnandi: It seems you have logging enabled for some rule in the firewall input chain. Depending how input chain is configured, this might be just logging you can disable. Best would be to paste the output of /ip firewall filter print where chain=input Looking at the structure of the firewall, we...
by tomaskir
Thu Aug 30, 2018 4:24 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 2680

Re: New wave of Winbox vuln. attacks

I seem to recall there is a way to view the default configuration, but have failed to locate how to do it.
Could you point me in the right direction?

You can print out the default configuration using:
/system default-configuration print
by tomaskir
Thu Aug 30, 2018 12:51 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 2680

Re: New wave of Winbox vuln. attacks

Indeed, the issue will be in accepting "new" state connections in rule no.3. As pointed out by sid5632, this is something that was modified from the default configuration, and that is why you are seeing Winbox login attempts from the internet. Fixing that rule (remove the "new" connection state) is ...
by tomaskir
Tue Aug 28, 2018 1:56 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 2680

Re: New wave of Winbox vuln. attacks

As an update to this, it seems there are currently 2 active variants of attacks: Version 1: Very similar to the attacks on Latin America earlier this month, but executed across the US/EU. This variant modifies SOCKS, and pulls updates using a 'mikrotik.php' file that is downloaded using scripts and ...
by tomaskir
Mon Aug 27, 2018 7:19 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 2680

New wave of Winbox vuln. attacks

There is currently another wave of attacks on RouterOS under way across US/EU address space. This attack utilizes the Winbox vuln. that has been patched in April this year. The current wave of attacks is very similar to the mass-exploitation of routers across Brazil earlier this month. This time tho...
by tomaskir
Tue Aug 21, 2018 5:01 pm
Forum: Beginner Basics
Topic: IPsec-SA expired before finishing rekey [SOLVED]
Replies: 4
Views: 852

Re: IPsec-SA expired before finishing rekey [SOLVED]

I would suggest creating a ticket with support as well so MKT can check if this is something they can fix.
Simply using PFS for P2 should not break re-keying.
by tomaskir
Thu Aug 16, 2018 12:23 pm
Forum: The Dude
Topic: Mass Password Change [SOLVED]
Replies: 2
Views: 354

Re: Mass Password Change [SOLVED]

With The Dude, there is no way to mass push config.

I recommend checking out Unimus - it will do this with a few clicks.
(create a Mass Config Push preset, select devices, push)

Otherwise, you can always script this yourself using TCL/Expect, or Python.
by tomaskir
Mon Aug 13, 2018 3:45 pm
Forum: General
Topic: Centralized Management
Replies: 4
Views: 460

Re: Centralized Management

Thanks for the feedback, we are always happy to hear what we can do better :) - Centralized Upgrade: Great, but it would be very helpful to see the current ROS-version of every device in the device-list We want to add this, but since we support 110+ vendors we need to properly implement this for all...
by tomaskir
Mon Aug 13, 2018 1:34 pm
Forum: General
Topic: Monitor wireless values
Replies: 3
Views: 281

Re: Monitor wireless values

Everything you want is in RouterOS wireless MIBs.
/interface wireless
print oid

Use SNMP to retrieve the data, and choose any of the available monitoring platforms to graph it :)
by tomaskir
Mon Aug 13, 2018 1:27 pm
Forum: General
Topic: Centralized Management
Replies: 4
Views: 460

Re: Centralized Management

Check out Unimus , it was built for exactly this. Here is a manual how to mass-upgrade RouterOS across the network: https://unimus.net/blog/network-wide-mikrotik-routeros-upgrade.html Here is an example of how to validate security (and if the network was hit be recent RouterOS exploits): https://uni...
by tomaskir
Tue Jul 24, 2018 6:28 pm
Forum: Virtualization
Topic: CHR 6.42.6+GNS3 = No RoMON
Replies: 2
Views: 757

Re: CHR 6.42.6+GNS3 = No RoMON

RoMON uses a MKT proprietary L2 protocol. The default simulated switches in GNS3 only forward Ethernet frames. This is why you are not able to use RoMON, or other non-standard L2 protocol in GNS. Work-around is not to use the GNS3 "switch" object to connect your simulated MKTs, but use something els...
by tomaskir
Sun Jul 22, 2018 2:30 pm
Forum: Wireless Networking
Topic: Wireless Wire MTU, stability
Replies: 5
Views: 714

Re: Wireless Wire MTU, stability

Sounds like a bug.
Definitely something MKT support should look at.

Did you send a ticket to support with a supout.rif yet?
by tomaskir
Sun Jul 22, 2018 12:47 pm
Forum: General
Topic: Intrusion shortly after sending support file
Replies: 8
Views: 1298

Re: Intrusion shortly after sending support file

1) What version of RouterOS was that router on?
2) Did you have Winbox open publicly on the default port?
by tomaskir
Wed Jul 11, 2018 2:55 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: LLDP
Replies: 123
Views: 36942

Re: LLDP

I think everyone in this thread appreciates VERY MUCH that LLDP is implemented at all. And I personally thank the MKT team a lot for this. But I think all of us here wish the work on LLDP would continue, since there is still a lot that can be improved. Also separation of LLDP from MNDP would probabl...
by tomaskir
Wed Jul 11, 2018 1:44 am
Forum: RouterOS v6 RC and v7 BETA
Topic: LLDP
Replies: 123
Views: 36942

Re: LLDP

Also no LLDP data is present in SNMP.

Another main use-case for LLDP is to have topology data available over SNMP, so monitoring and mapping software can use it to map the network.
by tomaskir
Sun Jul 08, 2018 5:35 pm
Forum: General
Topic: feature request, auto firewall nat rules [SOLVED]
Replies: 4
Views: 338

Re: feature request, auto firewall nat rules [SOLVED]

You can use this FW rule to accept all NATed connections:

Code: Select all

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
EDIT: damn, Sob beat me to it :(
by tomaskir
Mon Jul 02, 2018 4:58 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 63
Views: 12919

Re: Winbox v3.16 released!

*) added back support for connecting to older RouterOS v6 versions;
Does this mean that Winbox is again able to download and execute DLLs received from external sources?
by tomaskir
Tue Jun 19, 2018 3:42 pm
Forum: General
Topic: Load custom default config when reset button pressed [SOLVED]
Replies: 1
Views: 189

Re: Load custom default config when reset button pressed [SOLVED]

You will have to use NetInstall to do this.
NetInstall has an option to apply a configuration.

That configuration will be applied as the default config.
(including if the board is reset through the reset button)
by tomaskir
Tue Jun 12, 2018 6:50 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: New IP cloud is coming.
Replies: 82
Views: 13050

Re: New IP cloud is coming.

Multi-WAN support for DDNS pretty please?
by tomaskir
Wed Jun 06, 2018 11:06 am
Forum: General
Topic: configuration for multiple routers
Replies: 3
Views: 325

Re: configuration for multiple routers

If you want an easier solution - try Unimus. It will do Mass Config Push for you, and you can have it setup in under 30 minutes. Changing NTP, or creating / modifying users on all MKTs in the network is a few clicks. Here is an example of how to do RouterOS upgrades: https://unimus.net/blog/network-...
by tomaskir
Mon May 21, 2018 8:24 pm
Forum: General
Topic: multi microtik management tool
Replies: 13
Views: 5492

Re: multi microtik management tool

Check out Unimus:
https://unimus.net/

It will do Mass Config Push, change detection, diffs, network-wide config search, etc.
You can easily upgrade RouterOS across the network.

Here is an article on network-wide RouterOS update:
https://unimus.net/blog/network-wide-mi ... grade.html
by tomaskir
Wed May 02, 2018 4:24 pm
Forum: The Dude
Topic: New Dude to Backup Routers
Replies: 23
Views: 2922

Re: New Dude to Backup Routers

Unimus is interesting, even though it IS paid (thanks Hammy). The dev is pretty responsive and he's including [starting to anyway] mechanisms for pushing commands/scripts to devices which is making it somewhat of a change-mgmt platform with some interesting possibilities. This would have been helpf...
by tomaskir
Mon Apr 30, 2018 4:00 pm
Forum: General
Topic: [Guide] Easy network-wide RouterOS upgrades
Replies: 1
Views: 279

[Guide] Easy network-wide RouterOS upgrades

Hi everyone, So with the latest RouterOS exploits, upgrading to a up-to-date RouterOS version is more important than ever. I wrote an article/how-to on an easy way to update RouterOS across your entire network. This article uses RouterOS Package Source feature to act as a local upgrade server. Unimu...
by tomaskir
Mon Apr 23, 2018 3:20 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 86929

Re: v6.43rc [release candidate] is released!

@strods
*) ipsec - added "responder" parameter for "mode-config" to allow multiple initiator configurations (CLI only);

Can you please elaborate on what this does?
by tomaskir
Fri Apr 20, 2018 2:36 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 86929

Re: v6.43rc [release candidate] is released!

Can the phy-rate and RSSI for 60G interfaces also be exposed over SNMP please?

Thanks!
by tomaskir
Mon Mar 19, 2018 1:38 pm
Forum: General
Topic: L2 MTU sizes - STILL confused
Replies: 11
Views: 1574

Re: L2 MTU sizes - STILL confused

Slide 18 and 19 from my presentation on MPLS/VPLS/MTU covers this pretty well:
https://mum.mikrotik.com/presentations/US13/kirnak.pdf

I would also recommend actually watching / listening to the presentation, it covers it much more in depth:
https://youtu.be/Q8AF-Srulmk
by tomaskir
Fri Mar 16, 2018 11:46 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74486

Re: v6.42rc [release candidate] is released!

Waiting time is not too long. This kind of implementation will satisfy the biggest part of the users so we decided to re-make this generate process. But what is the benefit - what was the original need to change this? Because from what I can see, this has only disadvantages. Making users wait when ...
by tomaskir
Thu Mar 15, 2018 8:20 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 74486

Re: v6.42rc [release candidate] is released!

*) ssh - generate SSH keys only on the first connect attempt instead of the first boot; Could you please comment on why this change was made? Is it not better to generate these at startup than to make an user wait the first time he connects? Specifically on older boards (with single-core 400MHz CPU...
by tomaskir
Tue Mar 13, 2018 12:36 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request: "Service Group"
Replies: 12
Views: 3772

Re: Feature request: "Service Group"

As you can see, this post is all the way back from 2012.

There has been no change on this, which is sad.
There still is no way to define any groupings for protocols/ports/services in RouterOS.
by tomaskir
Tue Mar 06, 2018 1:10 pm
Forum: The Dude
Topic: Configuration Backup
Replies: 1
Views: 467

Re: Configuration Backup

You can't really have The Dude do any kind of backups / configuration management. If you want a solution that just works, check out Unimus . No need to configure anything on the routers. Takes about 15 minutes to deploy to manage a network of 1000 devices. (assuming you can mass-import devices) You ...
by tomaskir
Wed Feb 28, 2018 3:19 pm
Forum: Scripting
Topic: Mikrotik backup + upload to FTP /problem/
Replies: 8
Views: 713

Re: Mikrotik backup + upload to FTP /problem/

maybe someday .. mikrotik make some app for all that Great hardware offer, but poor support around maintenance Its easy when you have 1-10 mikrotik routers .. but 100+? As I mentioned in my previous post, you already have multiple solutions that exist that do this. Why should MikroTik write an appl...
by tomaskir
Tue Feb 27, 2018 5:55 pm
Forum: Scripting
Topic: Mikrotik backup + upload to FTP /problem/
Replies: 8
Views: 713

Re: Mikrotik backup + upload to FTP /problem/

I would suggest getting a proper config management solution. (that will do config backup, show changes in config ,etc.) You have multiple choices: Unimus - https://unimus.net/ Oxidized - https://github.com/ytti/oxidized Rancid - http://www.shrubbery.net/rancid/ etc. It will be easier to use, much mo...
by tomaskir
Mon Feb 19, 2018 12:10 am
Forum: Scripting
Topic: changing /system default-configuration script
Replies: 5
Views: 1049

Re: changing /system default-configuration script

What is strange is that it is still the original script which is displayed in /system default-configuration. This is a well known "bug" that has been in ROS for many years. Is there a way to view this script inside routerOS ? (could be a good or bad thing since it may embed cleartext passwords) No ...
by tomaskir
Tue Jan 09, 2018 10:20 pm
Forum: General
Topic: Hiring a consultant for configuration support
Replies: 3
Views: 235

Re: Hiring a consultant for configuration support

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants

I think that might be a better source for knowledgeable MikroTik people than freelance websites.
by tomaskir
Mon Jan 08, 2018 2:26 pm
Forum: General
Topic: Mikrotik developer - Paid Config
Replies: 1
Views: 229

Re: Mikrotik developer - Paid Config

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants
by tomaskir
Sat Jan 06, 2018 3:38 am
Forum: Beginner Basics
Topic: NAT Loopback for beginner
Replies: 7
Views: 3460

Re: NAT Loopback for beginner

There is a very good article on the wiki that describes all you need to know:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
by tomaskir
Sun Dec 31, 2017 12:12 am
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 48
Views: 4616

Re: High CPU load when PPPoE sessions disconnects

Any interface connecting/disconnecting - does not matter if dynamic or static.
by tomaskir
Sat Dec 30, 2017 6:46 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 48
Views: 4616

Re: High CPU load when PPPoE sessions disconnects

It doesn't matter if the user has public or private IP, it's about interfaces. When interfaces connect/disconnect, with combination with NAT, it gives you high CPU usage. So simply eliminate NAT from that router. Have a separate router "in front" of the PPPoE concentrator, that NATs the traffic from...
by tomaskir
Sat Dec 30, 2017 4:01 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 48
Views: 4616

Re: High CPU load when PPPoE sessions disconnects

Just DO NOT use NAT on any routers that have high number of connecting/disconnecting interfaces. Use basic networking principle of 'separation of concerns'. Each device in your network should be responsible for one function - don't mix too many things into one device. Place an additional router "in ...
by tomaskir
Fri Dec 29, 2017 4:17 pm
Forum: Beginner Basics
Topic: accept vs return in mangle
Replies: 2
Views: 340

Re: accept vs return in mangle

action=return is supposed to be used with custom chains - to return the packet to the original chain it came from (using the jump action). I am actually not sure what action=return does in one of the built-in chains. Documentation doesn't specify it either. If you want it to be not processed anymore...
by tomaskir
Wed Dec 27, 2017 4:18 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 728

Re: MPLS MTU Calculations

Yes, but do not forget to properly calculate all other MTUs so MTU is sufficient on every layer.
by tomaskir
Wed Dec 27, 2017 1:54 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 728

Re: MPLS MTU Calculations

It will work if MTU is sufficient, or higher.
I can be higher, that will not hurt.

But it MUST NOT be lower than required.
by tomaskir
Wed Dec 27, 2017 1:07 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 728

Re: MPLS MTU Calculations

You need to calculate how much you need at every layer.
(like on slide 19 of the presentation)

If you have 4 tags, then you need to calculate that into the MPLS layer MTU, and MTUs on all underlying layers.
by tomaskir
Wed Dec 27, 2017 12:34 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 728

Re: MPLS MTU Calculations

VPLS ID is the VPLS tag (it contains the tunnel ID).

A VPLS tag is just another type of MPLS tags - so also just 4 per VPLS tag.
by tomaskir
Tue Dec 26, 2017 11:10 pm
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 728

Re: MPLS MTU Calculations

Check out this presentation for an in-depth discussion of MTU (and in particular in regards to MPLS/VPLS).

https://youtu.be/Q8AF-Srulmk
by tomaskir
Tue Dec 26, 2017 11:08 pm
Forum: Beginner Basics
Topic: Soft for autobackup many device
Replies: 2
Views: 230

Re: Soft for autobackup many device

Check out Unimus.
https://unimus.net/

It will do exactly what you want :)
by tomaskir
Mon Nov 27, 2017 2:26 pm
Forum: Beginner Basics
Topic: How to configure two Mikrotiks as a failover/backup [SOLVED]
Replies: 4
Views: 430

Re: How to configure two Mikrotiks as a failover/backup [SOLVED]

There is multiple ways to do this, depending on your network layout, and how other things connect to the 1100s.

You will most probably want to go with VRRP tho, judging by your post:
https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP
  • 1
  • 2
  • 3
  • 4
  • 5
  • 22