Community discussions

Search found 47 matches

by sanitycheck
Tue Jul 16, 2019 7:15 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 94
Views: 25009

Re: v6.44.5 [long-term] is released!

Upgrading to 6.44.5 (and possibly prior 6.44.x releases) does bonkers things to the SSH settings, in particular: If strong-crypto=yes then allow-none-crypto=no is added - AFAIK this is fixed in the latest beta. Pertinent to your situation forwarding-enabled=remote is added - IIRC this has been ment...
by sanitycheck
Sat Jul 13, 2019 7:32 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 94
Views: 25009

Re: v6.44.5 [long-term] is released!

Can't you connect via ssh but using administrative user name? Not in the standard configuration I use. As a security measure the only user on the router with ssh rights is a special user for just that purpose, and it only has the ssh permission. I remove the ssh rights from admin. Admin user can on...
by sanitycheck
Sat Jul 13, 2019 8:39 am
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 94
Views: 25009

Re: v6.44.5 [long-term] is released!

I connect to manage routers with ssh using an rsa ssh key. SSH stong-crypto is set to yes. I upgraded a remote test router from 6.43.16 long-term to 6.44.5 long-term. It allows me to make a connection using Putty as usual, the connection terminal window displays correctly. But when I try to manage t...
by sanitycheck
Fri Oct 12, 2018 7:13 pm
Forum: General
Topic: PCI Compliance - CVE-2015-4000
Replies: 7
Views: 821

Re: PCI Compliance - CVE-2015-4000

I can confirm that a PCI scan by a company popular in the USA will fail on ROS as recent as 6.40.8 with SSH strong-crypto set to 'yes.' Those same routers did pass maybe a year ago on an even earlier version of ROS but only after strong-crypto was set to 'yes.' The report indicates the SSH service s...
by sanitycheck
Mon May 07, 2018 5:35 pm
Forum: General
Topic: rb1100dx4 - all management has stopped
Replies: 4
Views: 645

Re: rb1100dx4 - all management has stopped

Yes, twice. I logged a ticket with support but have not been able to respond to their reply yet. They asked for a supout file but in both cases I could not make one while the problem was occurring (one because I could not access the router, and the other because generating the supout file from Winbo...
by sanitycheck
Wed Apr 11, 2018 8:54 pm
Forum: General
Topic: ROS SMB version - HP scan destination not compatible
Replies: 5
Views: 632

ROS SMB version - HP scan destination not compatible

For a long time I've used SMB with a USB flash drive as a destination for scans from HP multi-function lasers, most commonly the (now fairly old) M3035. Recent HP models, however, will not connect to the Mikrotik SMB share. Two examples are the color laser M575 and a plotter called Designjet T830. T...
by sanitycheck
Mon Feb 05, 2018 9:21 am
Forum: Announcements
Topic: v6.41.1 [current]
Replies: 106
Views: 15259

Re: v6.41.1 [current]

acruhl, was the mac address of the bridge originally set as administrative mac address? Or it was just dynamic before the upgrade? Sorry, I meant 6.41 to 6.41.1... I didn't statically set the MAC address. I just added the wired interface to the bridge is all. Looking at my notes on DHCP server conf...
by sanitycheck
Fri Dec 22, 2017 8:39 pm
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76613

Re: v6.41 [current]

Found a first anomaly: Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work. After list deletion and recreation by hand, it works. I reset the config on a RB952ui-5ac2nd-us to a default setup on bugfix 6.39.3, and then up...
by sanitycheck
Fri Sep 22, 2017 10:43 pm
Forum: RouterBOARD hardware
Topic: Redundant power inputs
Replies: 25
Views: 6120

Re: Redundant power inputs

If you are in the US you might want to consider the Wifi Texas (find-a-poe.com) part called WS-Failover . They sell this part for redundant power to their smaller multi-port injectors (which are great) that don't have dual-power inputs built-in. But it will (should) work to power a Mikrotik directly...
by sanitycheck
Fri Sep 22, 2017 7:49 pm
Forum: General
Topic: If PoE-in + DC power supply connected = redundant power?
Replies: 7
Views: 2614

Re: If PoE-in + DC power supply connected = redundant power?

yes! one word of advice, make the two power sources slightly different voltage. it could have some problems if they are identical voltage. Would you clarify this, please? Your comment here is the only reference to using different voltage power supplies in a dual-power configuration I have found. If...
by sanitycheck
Fri Sep 22, 2017 6:02 pm
Forum: General
Topic: Sierra Wireless MC7750 on Verizon Wireless
Replies: 9
Views: 1592

Re: Sierra Wireless MC7750 on Verizon Wireless

Since your original message I noticed an update for the 7750 in the 6.41RC changelog: ppp - added support for Sierra MC7750, Verizon USB730L; PPP not LTE, unfortunately, and I'm not exactly sure what USB730L references. But maybe it means you can get your 7750 working with PPP at least. Also, if you...
by sanitycheck
Sat Jul 22, 2017 11:24 pm
Forum: General
Topic: Sierra Wireless MC7750 on Verizon Wireless
Replies: 9
Views: 1592

Re: Sierra Wireless MC7750 on Verizon Wireless

Interested to hear if you got the 7750 to run as an LTE device.
by sanitycheck
Tue Jun 27, 2017 11:51 pm
Forum: General
Topic: Sierra Wireless MC7750 on Verizon Wireless
Replies: 9
Views: 1592

Re: Sierra Wireless MC7750 on Verizon Wireless

The firmware issue Mikrotik mentioned might have only applied to the 7700 ATT version, but it was a good idea to upgrade anyway.

The only link I know for the DIP/QMI switcher is: www hptouchpad4g com / sierra.html
by sanitycheck
Sat Jun 24, 2017 4:15 am
Forum: General
Topic: Sierra Wireless MC7750 on Verizon Wireless
Replies: 9
Views: 1592

Re: Sierra Wireless MC7750 on Verizon Wireless

Did you check your MC card firmware version? That makes a difference, as is indicated in the Mikrotik supported hardware list. The hardware reference is for the MC7700, which is the ATT version, but I'd guess it is a factor on the MC7750 as well. With a firmware upgrade the card should show up as an...
by sanitycheck
Fri Jan 13, 2017 9:23 pm
Forum: Wireless Networking
Topic: Netgear Fuse 779s LTE Hotspot - Sprint (USA)
Replies: 0
Views: 384

Netgear Fuse 779s LTE Hotspot - Sprint (USA)

Wondering if anyone has connected a Netgear Fuse 779s hotspot over USB as an LTE or PPP adapter. I realize it's not on the hardware compatibility list. The Netgear Fuse is a fairly common hotspot adapter for carrier Sprint in the US. As of 6.38 it shows up as a USB device, but 'unknown' under PPP an...
by sanitycheck
Sat Aug 15, 2015 9:38 pm
Forum: Announcements
Topic: 6.31 released
Replies: 227
Views: 47204

Re: 6.31 released

I see something unusual with SSH after the upgrade to 6.31. I connect to a remote router by SSH using Putty in Windows. A special user is configured for remote SSH access using no password but with a DSA key. After the upgrade Putty prompted me with the standard warning I get (and expect) when I con...
by sanitycheck
Thu Jun 11, 2015 6:08 pm
Forum: Announcements
Topic: v6.29 released
Replies: 193
Views: 49288

Re: v6.29 released

I assume the FREAK SSL vulnerability fixed in 6.29 affected OpenVPN and SSTP since they are both tied to certificates and the Mikrotik certificate functions. But does FREAK affect IPSEC with PSK, meaning where a certificate is not used? Is SSH affected by FREAK when a certificate is used (or not)? I...
by sanitycheck
Wed Feb 18, 2015 7:22 pm
Forum: General
Topic: Tapatalk and Karma
Replies: 60
Views: 4768

Re: Tapatalk and Karma

In Tapatalk there is a feature called timeline (clock symbol second from left) that used to show posts from all categories in chronological order. It was convenient to browse all posts each day to see if there was something interesting to read. After the last forum and Tapatalk upgrades this option ...
by sanitycheck
Wed Dec 10, 2014 6:39 am
Forum: General
Topic: VoIP Phones Loosing Connections
Replies: 3
Views: 866

Re: VoIP Phones Loosing Connections

Are the disconnects corresponding with your Internet dropping or the Internet PPPoE having to reconnect?
by sanitycheck
Mon Oct 20, 2014 10:37 pm
Forum: Scripting
Topic: Script to disable-enable ether port when SIP not registered
Replies: 0
Views: 855

Script to disable-enable ether port when SIP not registered

(edit: re-wrote this because I fixed the scripts, and no longer have a question.) These scripts are a dirty and hopefully temporary fix for the problem where SIP phones connecting to a PBX server across an IPSEC tunnel will not register, typically seen after one side of the VPN's Internet has gone d...
by sanitycheck
Thu Oct 02, 2014 8:26 pm
Forum: General
Topic: all IPsec tunnels stops after few days
Replies: 17
Views: 6581

Re: all IPsec tunnels stops after few days

I had similar problems but just with SIP (or certain UDP connections) over IPSEC. It was triggered by a port flap on an Internet modem or other Internet outage. The problem seems to have been addressed in 6.18/6.19. However, before the firmware updates were released I noticed that fixing the router ...
by sanitycheck
Mon Aug 25, 2014 8:52 pm
Forum: General
Topic: OpenVPN Server error: TLS failed
Replies: 43
Views: 76153

Re: OpenVPN Server error: TLS failed

New OpenVPN server configured in 6.18 router confirmed working here with Require Client Certificate checked, using self-signed certificates generated by XCA in Ubuntu. Testing client was OpenVPN GUI software client for Windows (OpenVPN.net). This might not be your problem, but make sure your certifi...
by sanitycheck
Mon Aug 04, 2014 9:05 am
Forum: General
Topic: 951G-2HnD problem with 6.xx version of RouterOS
Replies: 17
Views: 3172

Re: 951G-2HnD problem with 6.xx version of RouterOS

I've been fighting a problem that's only somewhat similar, but fixing the eth1 speed (turning off auto-negotiate) seems to have addressed it. I wonder if that fix would help here.
by sanitycheck
Fri Aug 01, 2014 7:26 am
Forum: General
Topic: VPN connect - feature request
Replies: 4
Views: 2537

Re: VPN connect - feature request

I discovered disabling auto-negotiation as mentioned above eliminated a similar problem at a different customer site. In that case a SIP trunk to a service provider would stop responding, even though connection tracker said the connection was up (also SIP helper is enabled there). This happened ever...
by sanitycheck
Wed Jul 30, 2014 12:04 am
Forum: General
Topic: Mikrotik Router SIP Connection Blocked.
Replies: 76
Views: 37308

Re: Mikrotik Router SIP Connection Blocked.

I've been watching this topic because it's about the same problem, or a similar problem, to the one in this post:

http://forum.mikrotik.com/viewtopic.php ... 74#p439474

I listed a fix or work-around there that worked for me.
by sanitycheck
Tue Jul 29, 2014 9:02 pm
Forum: General
Topic: VPN connect - feature request
Replies: 4
Views: 2537

Re: VPN connect - feature request

Turning off port speed auto-negotiation on the WAN port seems to reduce the occurrence of this problem considerably. This is true even though the frequency of Internet outages has not varied much at that location. This change does not eliminate the problem as of 6.19, however. An older but similar c...
by sanitycheck
Tue Jul 15, 2014 5:00 am
Forum: General
Topic: VPN connect - feature request
Replies: 4
Views: 2537

Re: VPN connect - feature request

Check Gateway seems to help if the outage on the remote end is fairly long. By that I mean >20 seconds where the Check Gateway feature can detect the link went down. An example would be a manual power-cycle of a cable modem. If you get a port flap on the same modem, where the WAN port shows the mode...
by sanitycheck
Fri Jul 11, 2014 7:53 pm
Forum: General
Topic: Mikrotik Hotspot Bypass/Exclusion for Subnets
Replies: 12
Views: 3785

Re: Mikrotik Hotspot Bypass/Exclusion for Subnets

In the picture of the firewall rules it looks like you made modifications to accomodate the special 172.19.0.x subnet. In my case I did not make any changes to the default rules configured by the hotspot setup. Also, my IP bindings are different. I list only Address, Server, and Type. I leave MAC ad...
by sanitycheck
Wed Jul 09, 2014 10:30 pm
Forum: General
Topic: Mikrotik Hotspot Bypass/Exclusion for Subnets
Replies: 12
Views: 3785

Re: Mikrotik Hotspot Bypass/Exclusion for Subnets

I'm guessing you are way past this, but did you add an IP address to that shared interface for the camera IP subnet to use as a gateway (e.g. 172.19.0.1), and do you have a route for same? I have a similar setup with several hotspot access points on a subnet different from the range used by the hots...
by sanitycheck
Sun Jun 22, 2014 7:59 pm
Forum: General
Topic: HotSpot IP POOL - running out of addresses
Replies: 6
Views: 5701

Re: HotSpot IP POOL - running out of addresses

Thanks to WifiGuy for help with this problem. In the server section (ip / hotspot / servers) I modified the hotspot server (default called hotspot1) to show none for address pool, where the default setting was hs-pool-5 from when the hotspot was first created. The address pool specified in the user ...
by sanitycheck
Wed Jun 18, 2014 6:27 pm
Forum: General
Topic: IPSec Rekeying
Replies: 3
Views: 1293

Re: IPSec Rekeying

I wonder if this IPSEC problem could be the cause of the SIP phone problem I've been having. Random phone sets connected through a new, multi-site, all-Mikrotik IPSEC VPN to a PBX in the main office would fail to register inside of 24 hours. Manual reboot of main office router or PBX would fix for a...
by sanitycheck
Sun May 04, 2014 9:14 pm
Forum: Beginner Basics
Topic: Easy way to block Russia & China for noobs
Replies: 5
Views: 5055

Re: Easy way to block Russia & China for noobs

Thanks for that. I was looking for something to prevent OpenVPN connection attempts from those locations. I will use the list to block all connections instead. Attached is the change to create an address list called ru-cn instead as deejayq suggested, using the addresses you provided. I will then cr...
by sanitycheck
Fri Apr 04, 2014 7:12 am
Forum: General
Topic: IPSec vpn won't work unless subnet routed to local bridge
Replies: 10
Views: 4349

Re: IPSec vpn won't work unless subnet routed to local bridg

The route fixed the problem on a pair of 5.x routers with IPSEC VPN (both now at the latest 5.26), but adding the route to a pair of 6.x routers (both on 6.11) does not allow pinging the remote side's LAN IP. I do not have a solution. Both sets of routers are nearly identical in configuration except...
by sanitycheck
Thu Mar 27, 2014 7:14 am
Forum: General
Topic: 6.6 to 6.7 CRS very slow LAN speed
Replies: 41
Views: 10795

Re: 6.6 to 6.7 CRS very slow LAN speed

Has this problem been addressed? A better question might be: Was this problem exclusive to coming from (6.6) or going to a specific release (6.7), or can the speed problem be reintroduced by any (6.x) upgrade on a CRS? I did an export-import on 6.10 and it fixed the problem, but I'd rather not rush ...
by sanitycheck
Tue Feb 18, 2014 7:12 pm
Forum: General
Topic: can't rename imported certificate?
Replies: 10
Views: 2316

Re: can't rename imported certificate?

Manuelm, this post is for a different problem but OpenVPN's function has been a problem in the latest firmware releases. There are other posts and information in the firmware release notes about this. A quick test shows the rename problem not addressed in 6.10. This is true in Winbox and on the web ...
by sanitycheck
Sun Feb 09, 2014 9:30 pm
Forum: General
Topic: is there anyway to know password mistake?
Replies: 20
Views: 3222

Re: is there anyway to know password mistake?

Don't forget certificates. I import a certificate for a new user I add (I don't use a password on the account, but I do on the certificate). I put that new user in a new group I create that has only SSH access. I remove the SSH privilege from admin group. I then put SSH on a random, high-numbered po...
by sanitycheck
Sat Feb 01, 2014 12:17 am
Forum: General
Topic: can't rename imported certificate?
Replies: 10
Views: 2316

Re: can't rename imported certificate?

Not working for me in 6.9 on a 2011L. I still get the read-only warning. Former workaround of changing name in Webfig no longer works. Pretty sure it did in 6.7. Now Webfig throws me back to the login prompt and says internal error. Different browsers (Chrome, Firefox) on different OS (Windows, Ubun...
by sanitycheck
Thu Nov 21, 2013 8:05 pm
Forum: General
Topic: OpenVPN Server on RouterOS, mode=ip (tun) and Windows client
Replies: 7
Views: 9287

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows cl

That works. Thanks. Now the .bat file is not needed, and the client.ovpn can be generic instead of client-specific. I'll adjust my post. I wonder why so many references show the route set up through route-up instead?
by sanitycheck
Wed Nov 20, 2013 10:30 pm
Forum: General
Topic: OpenVPN Server on RouterOS, mode=ip (tun) and Windows client
Replies: 7
Views: 9287

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows cl

I think I found a solution to the route-up problem mentioned by Volans. Don't do the multiple pool setup mentioned earlier in the post; it's not part of this solution. Make each Windows user log in using a secrets listing unique to them, not a generic VPN user for use with many clients (e.g make a P...
by sanitycheck
Mon Nov 04, 2013 7:42 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12214

Re: DynDNS update script

You are right to be against double-NAT in general, but a dyndns TOS-compliant double-NAT option in your script would be useful and appreciated. I'm working with an ISP that is by far the best in the area (4G into fiber), but their internal configuration means double-NAT is unavoidable. Worse, their ...
by sanitycheck
Fri Sep 13, 2013 6:00 am
Forum: General
Topic: 6.3 - "Xauth login and password must be set for initiator!"
Replies: 2
Views: 1284

Re: 6.3 - "Xauth login and password must be set for initiato

Looks like it's fixed in 6.4.
by sanitycheck
Mon Sep 09, 2013 7:11 am
Forum: General
Topic: 6.3 - "Xauth login and password must be set for initiator!"
Replies: 2
Views: 1284

Re: 6.3 - "Xauth login and password must be set for initiato

Same problem for me on 6.3. Trying RoadWarrior setup for the first time and this stopped me.

This is in the Beta forum category though 6.3 has been released. Maybe it should be under General.
by sanitycheck
Fri Oct 19, 2012 8:23 am
Forum: General
Topic: IPSec vpn won't work unless subnet routed to local bridge
Replies: 10
Views: 4349

Re: IPSec vpn won't work unless subnet routed to local bridg

One router responds to remote ICMP pings, SSH login etc over the IPSec tunnel, but won't respond on the webserver, this seems to be an unrelated issue though.
I see I have the same problem. I'd like to know a solution, though with SSH working I can port-redirect my way into Winbox or the webserver.
by sanitycheck
Thu Oct 18, 2012 9:01 am
Forum: General
Topic: IPSec vpn won't work unless subnet routed to local bridge
Replies: 10
Views: 4349

Re: IPSec vpn won't work unless subnet routed to local bridg

Thanks for the tip. I added new routes with the dst. address field set to the subnet of the remote side, and the gateway set to bridge-local or ether2-master-local (if there is no bridge). Apparently no other fields in the route need to be set. From what I can tell, the routes have to be added to bo...
by sanitycheck
Sun Sep 02, 2012 7:38 pm
Forum: General
Topic: Weird ip binding bug/problem (RB750 v5.19)
Replies: 3
Views: 1491

Re: Weird ip binding bug/problem (RB750 v5.19)

Did you find your IP bindings line items just disappeared after a time, or did you still see them but they didn't work? I'm noticing on one RB750GL that all the IP bindings I added for bypassed computers months ago are gone; the list is empty. I didn't have the opportunity to see if they disappeared...
by sanitycheck
Thu Nov 17, 2011 5:41 pm
Forum: General
Topic: SSH tunnels/port forwarding still doesn't work
Replies: 12
Views: 4980

Re: SSH tunnels/port forwarding still doesn't work

Putty log doesn't show anything except the opening connection information. It doesn't log the error that is displayed on the screen, apparently because Putty terminates before it can log the error. The RB450 log shows that the user is logged in and out by ssh. It does not show that an error occurred...
by sanitycheck
Wed Nov 16, 2011 6:19 am
Forum: General
Topic: SSH tunnels/port forwarding still doesn't work
Replies: 12
Views: 4980

Re: SSH tunnels/port forwarding still doesn't work

The problem is also present on RouterOS 5.8 (running on an RB450) and Putty 0.60-2010-12-08 version from Ubuntu 11.04 64-bit. I can confirm Windows Putty version 0.60 running on Windows XP Professional does not have the problem when connected to the same RB450. It looks like Ubuntu 11.10 upgraded th...