Community discussions

Search found 1057 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 22
by tomaskir
Mon Feb 19, 2018 12:10 am
Forum: Scripting
Topic: changing /system default-configuration script
Replies: 4
Views: 186

Re: changing /system default-configuration script

What is strange is that it is still the original script which is displayed in /system default-configuration. This is a well known "bug" that has been in ROS for many years. Is there a way to view this script inside routerOS ? (could be a good or bad thing since it may embed cleartext passwords) No ...
by tomaskir
Tue Jan 09, 2018 10:20 pm
Forum: General
Topic: Hiring a consultant for configuration support
Replies: 3
Views: 120

Re: Hiring a consultant for configuration support

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants

I think that might be a better source for knowledgeable MikroTik people than freelance websites.
by tomaskir
Mon Jan 08, 2018 2:26 pm
Forum: General
Topic: Mikrotik developer - Paid Config
Replies: 1
Views: 142

Re: Mikrotik developer - Paid Config

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants
by tomaskir
Sat Jan 06, 2018 3:38 am
Forum: Beginner Basics
Topic: NAT Loopback for beginner
Replies: 7
Views: 466

Re: NAT Loopback for beginner

There is a very good article on the wiki that describes all you need to know:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
by tomaskir
Sun Dec 31, 2017 12:12 am
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 35
Views: 2054

Re: High CPU load when PPPoE sessions disconnects

Any interface connecting/disconnecting - does not matter if dynamic or static.
by tomaskir
Sat Dec 30, 2017 6:46 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 35
Views: 2054

Re: High CPU load when PPPoE sessions disconnects

It doesn't matter if the user has public or private IP, it's about interfaces. When interfaces connect/disconnect, with combination with NAT, it gives you high CPU usage. So simply eliminate NAT from that router. Have a separate router "in front" of the PPPoE concentrator, that NATs the traffic from...
by tomaskir
Sat Dec 30, 2017 4:01 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 35
Views: 2054

Re: High CPU load when PPPoE sessions disconnects

Just DO NOT use NAT on any routers that have high number of connecting/disconnecting interfaces. Use basic networking principle of 'separation of concerns'. Each device in your network should be responsible for one function - don't mix too many things into one device. Place an additional router "in ...
by tomaskir
Fri Dec 29, 2017 4:17 pm
Forum: Beginner Basics
Topic: accept vs return in mangle
Replies: 2
Views: 147

Re: accept vs return in mangle

action=return is supposed to be used with custom chains - to return the packet to the original chain it came from (using the jump action). I am actually not sure what action=return does in one of the built-in chains. Documentation doesn't specify it either. If you want it to be not processed anymore...
by tomaskir
Wed Dec 27, 2017 4:18 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 285

Re: MPLS MTU Calculations

Yes, but do not forget to properly calculate all other MTUs so MTU is sufficient on every layer.
by tomaskir
Wed Dec 27, 2017 1:54 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 285

Re: MPLS MTU Calculations

It will work if MTU is sufficient, or higher.
I can be higher, that will not hurt.

But it MUST NOT be lower than required.
by tomaskir
Wed Dec 27, 2017 1:07 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 285

Re: MPLS MTU Calculations

You need to calculate how much you need at every layer.
(like on slide 19 of the presentation)

If you have 4 tags, then you need to calculate that into the MPLS layer MTU, and MTUs on all underlying layers.
by tomaskir
Wed Dec 27, 2017 12:34 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 285

Re: MPLS MTU Calculations

VPLS ID is the VPLS tag (it contains the tunnel ID).

A VPLS tag is just another type of MPLS tags - so also just 4 per VPLS tag.
by tomaskir
Tue Dec 26, 2017 11:10 pm
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 9
Views: 285

Re: MPLS MTU Calculations

Check out this presentation for an in-depth discussion of MTU (and in particular in regards to MPLS/VPLS).

https://youtu.be/Q8AF-Srulmk
by tomaskir
Tue Dec 26, 2017 11:08 pm
Forum: Beginner Basics
Topic: Soft for autobackup many device
Replies: 2
Views: 113

Re: Soft for autobackup many device

Check out Unimus.
https://unimus.net/

It will do exactly what you want :)
by tomaskir
Mon Nov 27, 2017 2:26 pm
Forum: Beginner Basics
Topic: How to configure two Mikrotiks as a failover/backup [SOLVED]
Replies: 4
Views: 291

Re: How to configure two Mikrotiks as a failover/backup [SOLVED]

There is multiple ways to do this, depending on your network layout, and how other things connect to the 1100s.

You will most probably want to go with VRRP tho, judging by your post:
https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP
by tomaskir
Sun Oct 22, 2017 1:45 am
Forum: Beginner Basics
Topic: New advice on Manual Firmware update - Wiki page outdated?
Replies: 1
Views: 261

Re: New advice on Manual Firmware update - Wiki page outdated?

Just download 'Main package', transfer to device, reboot device.

Make sure to download proper architecture, the 'System > Packages' table will tell you yours.
(for SXT, it's mipsbe)
by tomaskir
Thu Oct 19, 2017 12:56 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 817

Re: Dual WLAN + load balancing + redundancy?

All the things highlighted in your screenshot have different meanings, the 0 are fine. Highlighted rule 1 simply says there is no WAN->LAN traffic through wlan1. Highlighted rules 2 and 3 are 0 because the main load-balancing rule isn't routing any traffic through wlan2. You can see that in the conf...
by tomaskir
Wed Oct 18, 2017 4:29 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 817

Re: Dual WLAN + load balancing + redundancy?

As I mentioned previously, you will need to have the Traffic Monitor scripts in place to load balancing using bandwidth-based load-balancing. Refer to the presentation. Another note - do not use FastTrack with this. FastTrack on purpose doesn't let packets into Mangle (and multiple other RouterOS fa...
by tomaskir
Wed Oct 18, 2017 6:18 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 817

Re: Dual WLAN + load balancing + redundancy?

1) Mangle miss-configuration Rule 10 - you are missing negation signs. "dst-address-type=!local" and "dst-address-list=!Connected" If you are doing bandwidth-based load-balancing, you will also need the Traffic Monitors which switch the routing mark on the main load-balancing Mangle rule. 2) Pings Y...
by tomaskir
Wed Oct 18, 2017 3:13 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 817

Re: Dual WLAN + load balancing + redundancy?

That config is completely wrong, so no wonder it doesn't work :)

Implement proper Mangle as in either of the presentations, then test.
If it still doesn't work after, please post the Mangle export and what doesn't work.
by tomaskir
Wed Oct 18, 2017 12:06 am
Forum: Beginner Basics
Topic: Add firewall filter in top position
Replies: 3
Views: 172

Re: Add firewall filter in top position

Is this what you are looking for?
/ip firewall filter
add src-address-list=device.admins action=accept place-before=3
by tomaskir
Tue Oct 17, 2017 7:52 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 817

Re: Dual WLAN + load balancing + redundancy?

Most probably it's an issue in your Mangle config.

Please post your Mangle export.
by tomaskir
Tue Oct 17, 2017 9:56 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 817

Re: Dual WLAN + load balancing + redundancy?

You will need to properly setup load balancing using Mangle.
Check out this presentation, it should cover what you need to know:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Mon Oct 16, 2017 10:02 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 83289

Re: RouterOS NOT affected by WPA2 vulnerabilities

Good job on the fast announcement and staying on top of the vulnerabilities. Specially thanks for the additional per-protocol information and the clarification that was added after the initial post! (for people coming in later - the bottom half of MikroTiks post was added after official information ...
by tomaskir
Sat Oct 14, 2017 6:10 pm
Forum: Beginner Basics
Topic: How to send a backup to email [SOLVED]
Replies: 13
Views: 546

Re: How to send a backup to email [SOLVED]

You can configure any of them to take a backup every 12h or 24h. Unimus is the simplest to setup, fastest to use, and has nice things like graphical diff (see changes between backups, or between devices), and a network-wide config search. (type in "vlan 1002" and see everywhere in your network that ...
by tomaskir
Sat Oct 14, 2017 5:00 pm
Forum: Beginner Basics
Topic: How to send a backup to email [SOLVED]
Replies: 13
Views: 546

Re: How to send a backup to email [SOLVED]

Sending backups to email is bad for multiple reasons.
Security, scalability, management (imagine you need to change the email address, or email credentials on 100 devices), etc.

You should look at a proper backup solution, such as Unimus, Rancid or Oxidized.
by tomaskir
Thu Oct 05, 2017 6:03 pm
Forum: General
Topic: snmp security... private or authorized?
Replies: 6
Views: 1202

Re: snmp security... private or authorized?

For SNMPv3: none - no hashing nor encryption authorized - hashing private - hashing and encryption So for none, you dont need hash or encryption password, just username. SNMPv3 with "none" security behaves much like SNMPv2c. Authorized will use SHA1 or MD5 (depending on your configuration) hash as t...
by tomaskir
Thu Oct 05, 2017 2:29 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 248

Re: 2 Internet Connections, one for Inbound and one for Outbound

You can have only one default route.
It can go either through WAN1, or WAN2.

As soon as you need some things to go through WAN1, and other things to go through WAN2, you need Mangle.
by tomaskir
Thu Oct 05, 2017 12:49 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 248

Re: 2 Internet Connections, one for Inbound and one for Outbound

You will need to configure Mangle properly, and handle WAN->Router marking.

Check out this presentation:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Wed Oct 04, 2017 11:38 pm
Forum: General
Topic: First 100Mbps WAN1, next 100Mbps WAN2
Replies: 4
Views: 278

Re: First 100Mbps WAN1, next 100Mbps WAN2

Great presentation, this is exactly what I needed. Thank you.

Is it possible for me to see the slides in this presentation? It would be a great help.
There is a link in the video description :)
by tomaskir
Wed Oct 04, 2017 3:04 pm
Forum: Beginner Basics
Topic: Rename interfaces [SOLVED]
Replies: 2
Views: 181

Re: Rename interfaces [SOLVED]

I personally consider leaving interface names as default as best practice.

Use comments to store descriptive information about an interface.
by tomaskir
Wed Oct 04, 2017 10:34 am
Forum: General
Topic: First 100Mbps WAN1, next 100Mbps WAN2
Replies: 4
Views: 278

Re: First 100Mbps WAN1, next 100Mbps WAN2

If you are looking for bandwidth-based load balancing, check out this presentation:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Tue Oct 03, 2017 6:10 pm
Forum: General
Topic: [hEX] 80 PPPoE session on RB750Gr3
Replies: 4
Views: 254

Re: [hEX] 80 PPPoE session on RB750Gr3

Then the hEX should be fine :)
by tomaskir
Tue Oct 03, 2017 5:22 pm
Forum: General
Topic: [hEX] 80 PPPoE session on RB750Gr3
Replies: 4
Views: 254

Re: [hEX] 80 PPPoE session on RB750Gr3

It depends.

How much traffic will it there be?

What other things will the box do?
(firewall, QoS, NAT, etc.)
by tomaskir
Mon Oct 02, 2017 7:29 pm
Forum: General
Topic: Wirless Signal Dissaper when iphone is locked
Replies: 3
Views: 253

Re: Wirless Signal Dissaper when iphone is locked

1) This is unrelated to MikroTik, or RouterOS. 2) It's common for smartphones to go into power saving when you lock them / put them into standby mode with the power button. Same for Galaxy S8, use power button to put it into standby, WiFi gets turned off. These are normal power-savings features. On ...
by tomaskir
Mon Oct 02, 2017 7:27 pm
Forum: General
Topic: more that 200 L2TP sessions for HEX (L4 license upgrade for routerbord) [SOLVED]
Replies: 1
Views: 210

Re: more that 200 L2TP sessions for HEX (L4 license upgrade for routerbord) [SOLVED]

Yes, the license limit is applicable to RouterBOARDs. So you will not be able to do more than 200 tunnels on a RouterBOARD with an L4 license. You can buy an L5 license, and apply it to the RB. There is no upgrade (you can't just pay the difference) in RouterOS licensing, so you need a new L5 licens...
by tomaskir
Mon Oct 02, 2017 7:24 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 527

Re: Dual WAN not responding to external telnet/WinBox requests

Sorry for the late reply, I finally had some time to look at your Mangle export today. 1) move the rules which handle WAN->ROS connections to the top. Before those prerouting rules. 2) do the input/output chain Mangle rules capture any traffic? That is, is the packet counter on all of them increasin...
by tomaskir
Thu Sep 28, 2017 4:49 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 35
Views: 2054

Re: High CPU load when PPPoE sessions disconnects

If you are using Masquarade on the router, that is the problem. When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect. So if you have lots of PPPoE session connecting/disconnecting, connection tracking will constantly be recalculated wh...
by tomaskir
Thu Sep 21, 2017 3:32 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: List of IPSEC Speed, Encrypt Algo, Hash Algo, DH Group
Replies: 1
Views: 525

Re: List of IPSEC Speed, Encrypt Algo, Hash Algo, DH Group

We use this with our IPSec everywhere:
Phase 1: AES256, SHA512, MODP2048
Phase 2: AES128, SHA1, MODP2048

For us, this is a good balance of security/performance.

SHA1 in P2 could be improved on, but for our requirements, it's enough.
(since SHA1 collisions have been now peformed)
by tomaskir
Thu Sep 21, 2017 2:57 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 527

Re: Dual WAN not responding to external telnet/WinBox requests

tomaskir is not quite right because it's better to mark connections in prerouting rather then in input. Look at pcc example: https://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing May be you forgot to add respective routes for that routing marks (like in pcc example). And yo...
by tomaskir
Wed Sep 20, 2017 11:03 pm
Forum: Scripting
Topic: creating users with cmd without telnet
Replies: 9
Views: 513

Re: creating users with cmd without telnet

Any script named whatever.auto.rsc will be automatically executed when it is transfered to RouterOS.

So you can create for example users.auto.rsc, with this:

Code: Select all

/user
add name=user password=password group=read
And upon being transfered to the router, it will create that user.
by tomaskir
Wed Sep 20, 2017 7:17 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 527

Re: Dual WAN not responding to external telnet/WinBox requests

Post your entire '/ip firewall mangle export' please.
by tomaskir
Mon Sep 18, 2017 6:27 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 726

Re: Help with Ipsec and iOS

Ahh in my configuration the two are the same, can that be the problem?
EDIT:
Try to configure the L2TP secret in "/ppp l2tp-secret".
Make sure it's the same as the IPSec PSK in "/ip ipsec peer".

Then make sure it's the same in your client.
by tomaskir
Mon Sep 18, 2017 6:13 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 726

Re: Help with Ipsec and iOS

The L2TP secret is required. If i remove it, and try to connect i get the message "The IPsec shared secret is missing." There is a difference between IPSec PSK (pre-shared key), and the L2TP secret. You need to use the IPSec PSK (the one configured in "/ip ipsec peer"), but you must not use the L2T...
by tomaskir
Mon Sep 18, 2017 5:53 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 726

Re: Help with Ipsec and iOS

This would be the issue:
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping

Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.
by tomaskir
Mon Sep 18, 2017 5:25 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 726

Re: Help with Ipsec and iOS

You can turn off logging for IPSec, we see that works.

Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.
by tomaskir
Mon Sep 18, 2017 4:36 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 726

Re: Help with Ipsec and iOS

My PPP configuration is: ... Your PPP profile is wrong. Use it like this: /ppp profile add change-tcp-mss=no dns-server=x.x.x.x local-address=x.x.x.x name=VPN remote-address=VPN_Users use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-upnp=no Change neccessary things (such as DNS serv...
by tomaskir
Mon Sep 18, 2017 3:20 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 726

Re: Help with Ipsec and iOS

It seems IPSec works, and clients can't connect L2TP. We see in the log: 14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886 14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4 14:12:51 l2tp,info first ...
by tomaskir
Mon Sep 18, 2017 3:04 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 726

Re: Help with Ipsec and iOS

1) Make sure you are running latest RouterOS
There has been many IPSec fixes recently.

2) Enable IPSec logging:

Code: Select all

/system logging
add topics=ipsec,!debug
3) Post your "/ip ipsec export" here
Maybe it's something simple we can spot just from the export.
by tomaskir
Sat Sep 16, 2017 2:38 pm
Forum: Beginner Basics
Topic: Small firewall question
Replies: 2
Views: 259

Re: Small firewall question

You will have to use the bridge.
Then either use bridge filters, or enable "Use IP firewall" for bridge, and use firewalling to block it.

In firewall, simply drop everything other than what you want to allow.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 22