Community discussions

Search found 41 matches

by akschu
Mon Oct 21, 2019 6:16 pm
Forum: General
Topic: port forwarding needs what kind of firewall rules?
Replies: 2
Views: 247

Re: port forwarding needs what kind of firewall rules?

Telling the router to do destination nat is one thing, allowing that packet through the firewall is different. So if you have: chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=9090 protocol=tcp dst-address-type="" src-port=9090 dst-port=9090 log=no log-prefix="" then in /ip firewall fi...
by akschu
Mon Oct 21, 2019 6:09 pm
Forum: General
Topic: Unstable IPSEC over PPPOE interface
Replies: 10
Views: 1171

Re: Unstable IPSEC over PPPOE interface

I suspect you have a split routing or MTU issue as there are a lot of people using ipsec over pppoe without issue. I have one box plugged into 1000/100 pppoe internet connection and it's doing a lot of VPN work for an office of engineers.

schu
by akschu
Fri Sep 13, 2019 7:32 pm
Forum: General
Topic: Bug in /fetch dst-path=
Replies: 0
Views: 259

Bug in /fetch dst-path=

If I use /fetch into a directory, the system does't create that directory, instead it creates it as a file: [admin@hotspot104] /file> /tool fetch user=hotspot password="xxxxxxxxxx" url="https://domain.net/Hotspot/Files/hotspot104/login.html" dst-path=hotspot/ status: finished downloaded: 0KiBC-z pau...
by akschu
Fri May 17, 2019 11:02 pm
Forum: General
Topic: /ip filter raw action=return
Replies: 1
Views: 210

/ip filter raw action=return

I would like to track sessions and use normal /ip firewall filter rules for src addresses in list1, list2, and list3, but for everything else I don't have any need to track connections. Can I accomplish this with? /ip firewall raw add action=return chain=prerouting src-address-list=list1 add action=...
by akschu
Fri May 10, 2019 10:39 pm
Forum: General
Topic: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2
Replies: 4
Views: 321

Re: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2

No, you can not do this. Authentication without whole PKI chain including root CA is not possible. Perhaps what we could do is add possibility to match an Identity based on a specific common field in client's certificate, for example, Unit. You could generate multiple client certificates with the s...
by akschu
Thu May 09, 2019 7:55 pm
Forum: General
Topic: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2
Replies: 4
Views: 321

[Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2

Right now we have three ways to authenticate certs in ike2: match-by=remote-id remote-id=user-fqdn:user@domain.com or equivalent or match-by=remote=id remote-certificate=<cert> or match-by=certificate The first two require us to identify every certificate that can be used to authenticate. The last o...
by akschu
Thu May 09, 2019 7:46 pm
Forum: General
Topic: [Feature Request] Allow dst-address-list in mode-config so that we can easily firewall road warriors.
Replies: 1
Views: 165

[Feature Request] Allow dst-address-list in mode-config so that we can easily firewall road warriors.

If we had: name="rw-config" system-dns=yes address-pool=roadwarriorips address-prefix-length=32 responder=yes dst-address-list=roadwarriors Then in the firewall we could reference the roadwarriors list and create dynamic firewalls for anyone connecting with the above mode-config. This would be vastl...
by akschu
Wed May 08, 2019 7:16 pm
Forum: General
Topic: IKE2 certificate auth question.
Replies: 4
Views: 299

Re: IKE2 certificate auth question.

There is nothing to be "fixed", it works as expected. The trust chain is from the endpoint certificate up to the root CA and it cannot be shortened arbitrarily. Plus to work, the entity checking the validity of an endpoint certificate must have access to the complete chain of CAs, while the one of ...
by akschu
Wed May 08, 2019 3:45 am
Forum: General
Topic: IKE2 certificate auth question.
Replies: 4
Views: 299

Re: IKE2 certificate auth question.

Config looks like this: /ip ipsec mode-config add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf /ip ipsec policy group add name=ike2-policies /ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 lifetime=1h add name=ike2 /ip ipsec peer add exchange-mode...
by akschu
Wed May 08, 2019 3:44 am
Forum: General
Topic: IKE2 certificate auth question.
Replies: 4
Views: 299

IKE2 certificate auth question.

I have a certificate authority and a sub CA then my server and road warrior cert. Like this: ROOT CA | VPN CA | | Client cert Server cert The idea is that I only want client certs signed by the VPN CA to authenticate, not every user cert signed by ROOT CA. I thought I could do this by simply putting...
by akschu
Mon Apr 15, 2019 11:11 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208765

Re: Feature requests

This is what I need, a way to make a firewall list based on ipsec identity. All that's needed to make this work is the ability to define src-address-list when responder=yes: /ip ipsec mode-config add address-pool=ike2-pool address-prefix-length=32 name=ike2-firewallrulesA src-address-list=firewallru...
by akschu
Sat Apr 13, 2019 3:15 am
Forum: General
Topic: Firewall rules for specific ipsec remote-peers.
Replies: 0
Views: 203

Firewall rules for specific ipsec remote-peers.

I would like to build a chain of firewall rules, then assign that chain to road-warrior VPN clients that authenticate with ike2 and thus are identified by the ipsec identity, and thus the ipsec mode-config. What would be great is if the src-address-list attribute on ipsec mode-config worked in respo...
by akschu
Tue Apr 17, 2018 10:44 pm
Forum: Scripting
Topic: Schedules imported from run-after-reset don't work. Wrong owner.
Replies: 1
Views: 299

Schedules imported from run-after-reset don't work. Wrong owner.

So if I /system reset-configuration with run-after-reset with a config containing: /system scheduler add interval=24h name=getconfig on-event=update start-time=02:30:00 Then it imports it as: [admin@mikrotik] /system scheduler> print detail Flags: X - disabled 0 name="getconfig" start-date=jan/02/19...
by akschu
Tue Dec 19, 2017 10:46 pm
Forum: General
Topic: Users default to no password, and no way to detect it!
Replies: 4
Views: 1172

Users default to no password, and no way to detect it!

RouterOS Devs: The default user creation doesn't require a password, and defaults to blank, which means if someone simply does a: /user add name=fred group=full Then you can immediately login as fred with no password. This creates a significant security issue that isn't immediately obvious. Furtherm...
by akschu
Sat Nov 11, 2017 12:17 am
Forum: General
Topic: Mikrotik - limitations for enterprise solutions
Replies: 16
Views: 8558

Re: Mikrotik - limitations for enterprise solutions

There are plenty of limitations for service providers as well. 1. BGP is single core. 2. VRF's pretty much don't work because local connected routes are always available to all tables. 3. SNMP monitoring support is terrible. 4. openvpn only works in TCP mode. 5. Limited -48v DC options (though this ...
by akschu
Fri Nov 10, 2017 11:49 pm
Forum: General
Topic: Feature Request: SNMP OID mapping to scripts
Replies: 0
Views: 382

Feature Request: SNMP OID mapping to scripts

The routeros platform is pretty limited in regards to monitoring with snmp. If I want something like cpu resource monitoring or ipsec SA monitoring, then I have to find other ways to monitor than snmp. However, there is a super simple way that mikrotik could fix this: Assign an OID to each /system s...
by akschu
Fri Nov 10, 2017 10:25 pm
Forum: General
Topic: Traffic assigned to alternate routing table leaks to main table.
Replies: 1
Views: 224

Traffic assigned to alternate routing table leaks to main table.

Hello, I'm having an issue with the main routing table being used when I've set the traffic to use an alternate routing table. Here is my setup [remote router with static ip in aws] <-----vpn----- [local router with dynamic IP] I want all of my web/mail/ssh traffic to go to the host with a static, a...
by akschu
Fri Mar 31, 2017 8:44 pm
Forum: General
Topic: Packets on INPUT chain blocked when translated.
Replies: 3
Views: 484

Re: Packets on INPUT chain blocked when translated.

Thanks for the response. You are right, they are invalid packets, because the tcp timeout on connection tracking is super aggressive. I relaxed that a bit and that helped, now I'm dropping invalid traffic before it hits my logs so that I'm not filling up my firewall logs with tcp timeout nonsense. A...
by akschu
Thu Mar 30, 2017 11:40 pm
Forum: General
Topic: Packets on INPUT chain blocked when translated.
Replies: 3
Views: 484

Re: Packets on INPUT chain blocked when translated.

More oddness: If I trace a flow using logging in the prerouting or post routing chain I see something like this: Where 1.1.1.1 is the public client, 2.2.2.2 is the public facing address on the routeros host, and 3.3.3.3 is the private address I'm doing port address translation to: Mar 30 12:26:32 pr...
by akschu
Thu Mar 30, 2017 7:59 pm
Forum: General
Topic: Packets on INPUT chain blocked when translated.
Replies: 3
Views: 484

Packets on INPUT chain blocked when translated.

I'm trying to understand why I'm seeing this: 08:49:07 firewall,info input: in:public-gateway out:(none), src-mac 44:f4:77:10:ba:20, proto TCP (ACK,FIN), 6.1.1.2:62092->6.16.9.6:443, len 52 When I have this: /ip firewall nat add action=dst-nat chain=dstnat dst-address=6.16.9.6 dst-port=443 protocol=...
by akschu
Fri Jul 22, 2016 11:48 pm
Forum: Beginner Basics
Topic: Routerboard vs RouterOS on x86 ? If we use RouterOS with freeradius and freeside.
Replies: 9
Views: 2220

Re: Routerboard vs RouterOS on x86 ? If we use RouterOS with freeradius and freeside.

As someone that runs 4000+ pppoe sessions on x86 routeros I doubt that the CCR1036-12G-4S could do it.  The pppoe server code doesn't thread well (at least on x86) and other posts on the forum seem to indicate you will have one CPU absolutely at 100% while the remaining 35 cpus idle. As far as mikro...
by akschu
Wed Jul 13, 2016 11:31 pm
Forum: General
Topic: Weird 129.0.0.x IPs ?
Replies: 30
Views: 4607

Re: Weird 129.0.0.x IPs ?

I'm seeing this too.  And it's hard to figure out where the traffic is coming from because the routeros sniffer either doesn't work right or it's lying to me because it shows the traffic on bond1 when interface is any:  1   0.035 bond1                        129.0.0.71:49320                         ...
by akschu
Thu Sep 24, 2015 6:20 pm
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 203
Views: 37402

Re: v6.33rc release candidate

The biggest issue now is pppoe/cpu performance. It's not quite multi-threaded: Thanks for doing this Mikrotik! Still waiting for your discovery of the problem Ticket#2014122166000217 - when in system many interfaces, and you delete one of them - mikroik hangs on some time and loses packets. "Interf...
by akschu
Wed Sep 23, 2015 10:22 am
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 203
Views: 37402

Re: v6.33rc release candidate

*) ppp - added new option under "ppp aaa" - "use-circuit-id-in-nas-port-id"; Any details? Please update documentation or post some explanation. It allows some port information to be passed from pppoe through to radius. See my request here: http://forum.mikrotik.com/viewtopic.php?t=95696 I can confi...
by akschu
Thu Aug 27, 2015 9:54 pm
Forum: Scripting
Topic: perl API client
Replies: 102
Views: 52440

Re: perl API client

I think the code that Efaden put on github is probably the best bet since it fixes the length issue, as well as gives us a place to track change, but it didn't have port or ssl support. I forked his code and added those featuers: https://github.com/akschu/MikroTikPerl Efaden, please consider merging...
by akschu
Wed Jun 03, 2015 11:51 pm
Forum: General
Topic: Why no CPU temp using standard intel coretemp hardware?
Replies: 0
Views: 454

Why no CPU temp using standard intel coretemp hardware?

I have an intel core 2 cpu in an axiomtek NA-820, it's pretty basic stuff, and works perfectly in linux: Driver `coretemp': * Chip `Intel digital thermal sensor' (confidence: 9) coretemp-isa-0000 Core 0: +39.0°C (high = +80.0°C, crit = +98.0°C) Core 1: +40.0°C (high = +80.0°C, crit = +98.0°C) But no...
by akschu
Wed Apr 15, 2015 8:22 pm
Forum: General
Topic: v6.28 will be released this week!
Replies: 72
Views: 19048

Re: v6.28 will be released this week!

It doesn't look like the builds are being updated. I just downloaded the latest and it says the build time was Apr/13/2015 14:10:30.

I really hope the ssl bug gets fixed, it's making pulling config from https impossible.
by akschu
Wed Apr 15, 2015 12:06 am
Forum: General
Topic: v6.28 will be released this week!
Replies: 72
Views: 19048

Re: v6.28 will be released this week!

I was told by support that the fetch/ssl bug (http://forum.mikrotik.com/viewtopic.php?f=1&t=95576) would be fixed in the next release, but the latest version (version: 6.28, build-time: Apr/13/2015 14:10:30) still doesn't download more than 4096 bytes. I really hope this is fixed before the next rel...
by akschu
Fri Apr 10, 2015 8:02 pm
Forum: Announcements
Topic: v6.28 final RC testing
Replies: 92
Views: 31501

Re: v6.28 final RC testing

Fixing the fetch ssl bug would be fantastic since it makes /tool fetch unusable for me: http://forum.mikrotik.com/viewtopic.php?f=1&t=95576 Got this back from support: Re: [Ticket#2015040666000483] Bug with /tool fetch and https. Hello, Its due to bug in ssl library. Next release will have the fix....
by akschu
Wed Apr 08, 2015 7:01 pm
Forum: General
Topic: [Feature request] Pass the vendor specific PPPoE tags through to radius as an attribute.
Replies: 0
Views: 838

[Feature request] Pass the vendor specific PPPoE tags through to radius as an attribute.

This feature would make the pppoe server much more viable as a cisco/junpier/redback replacement with minimal programming effort. Simply take the vendor specific pppoe tag "circuit id" and pass it through as the radius NAS-Port-ID attribute the in the radius request packet. Here are docs on how this...
by akschu
Sat Apr 04, 2015 12:21 am
Forum: Announcements
Topic: v6.28 final RC testing
Replies: 92
Views: 31501

Re: v6.28 final RC testing

Fixing the fetch ssl bug would be fantastic since it makes /tool fetch unusable for me:

http://forum.mikrotik.com/viewtopic.php?f=1&t=95576
by akschu
Sat Apr 04, 2015 12:20 am
Forum: General
Topic: /tool fetch always truncates files to 4096 bytes when using https.
Replies: 2
Views: 1293

/tool fetch always truncates files to 4096 bytes when using https.

See below. The exact same file from the same server gets truncated when downloaded through https: [admin@MikroTik] /file> /tool fetch url="https://webserver/test" status: finished [admin@MikroTik] /file> print where name=test # NAME TYPE SIZE CREATION-TIME 0 test file 4096 jan/01/1970 16:32:33 [admi...
by akschu
Sat Feb 07, 2015 7:51 am
Forum: RouterBOARD hardware
Topic: mAP 2n blinking
Replies: 25
Views: 9463

Re: mAP 2n blinking

Mine is acting very strange. I can't get a solid link light half the time, I was able to get in if I reboot it enough times, but after a downgrade to 6.25 after seeing kernel panic messages I was never able to get it to work again.

I guess I'll mail it back.
by akschu
Mon Nov 24, 2014 7:33 pm
Forum: Forwarding Protocols
Topic: OSPF area range doesn't seem to do anything.
Replies: 1
Views: 1148

OSPF area range doesn't seem to do anything.

I'm not sure if I found a bug in my thinking or RouterOS, but I can't seem to get OSPF to work the way I think it should. I have a PPPOE server that uses static ip addresses from radius, static networks from radius, and a local dynamic pool. I would like to originate the static ip addresses, the sta...
by akschu
Sat Nov 22, 2014 12:54 am
Forum: Scripting
Topic: perl API client
Replies: 102
Views: 52440

Re: perl API client

This is a bit of a hack, but I needed something in perl so I extended this code to use ssl. Attached is the module.
by akschu
Thu Jul 04, 2013 3:23 am
Forum: General
Topic: Get the dhcp client hostname in snmp.
Replies: 1
Views: 2131

Re: Get the dhcp client hostname in snmp.

I really need this feature, and it would be trivial to add. The MIB is already in place since Mikrotik uses the existing DHCP mib, and that mib already has a spot for this: dhcpv4ServerClientHostName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "T...
by akschu
Tue Jun 12, 2012 12:31 am
Forum: General
Topic: Is this a bug in ipsec dynamic policies?
Replies: 1
Views: 3023

Is this a bug in ipsec dynamic policies?

So I'm working on setting up ipsec/l2tp with an ipad. I've done it a number of times on a number of different platforms so I have a pretty good idea on what I'm doing. The problem with the mikrotik is that you can't add an ipsec policy that has a dynamic endpoint: [admin@MikroTik] /ip ipsec policy> ...
by akschu
Thu Mar 15, 2012 2:30 am
Forum: General
Topic: Get the dhcp client hostname in snmp.
Replies: 1
Views: 2131

Get the dhcp client hostname in snmp.

I have a requirement to get the host-name of the dhcpclient in snmp so I can monitor who is on the network. The information is available in the router: [admin@MikroTik] /ip dhcp-server lease> print Flags: X - disabled, R - radius, D - dynamic, B - blocked # ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-...