Community discussions

MikroTik App

Search found 44 matches

by pwuk
Wed Feb 24, 2021 7:00 pm
Forum: General
Topic: Constantly changing SSH keys and missing users
Replies: 4
Views: 358

Re: Constantly changing SSH keys and missing users

Bit the bullet and decided to upgrade+reboot

Couldn't copy files on to router, or download them.

Rebooted, and it came back (phew), with all my old user accounts, all fixed.

Perhaps disk was in read only mode or something.
by pwuk
Mon Feb 22, 2021 9:04 pm
Forum: General
Topic: Constantly changing SSH keys and missing users
Replies: 4
Views: 358

Re: Constantly changing SSH keys and missing users

Yes, there's nothing in the "export terse" that's different to what it should be.

Be so much easier if I could physically go and prod the router (and replace it with one off the shelf)
by pwuk
Thu Jan 28, 2021 8:47 pm
Forum: General
Topic: Constantly changing SSH keys and missing users
Replies: 4
Views: 358

Constantly changing SSH keys and missing users

I have a CCR which my automatic backup user has stopped being able to ssh in The router sends syslog to a fairly local server, there's nothing in the log to show a problem before the system,error,critical login failure for user .... via ssh started appearing every half hour or so, exactly as I'd exp...
by pwuk
Fri Jul 24, 2020 1:03 pm
Forum: RouterBOARD hardware
Topic: CCR1036 interfaces dropping for 8 seconds
Replies: 2
Views: 847

Re: CCR1036 interfaces dropping for 8 seconds

Moved config onto identical router and got a local smarthand to move the cables down. The problem moved to the replacement hardware Disabled most recent bits of config like vrrp and a couple of vlans, problem remained Disabled all the device ports, leaving just the two links out. Problem vanished Br...
by pwuk
Tue Jul 14, 2020 8:06 pm
Forum: RouterBOARD hardware
Topic: CCR1036 interfaces dropping for 8 seconds
Replies: 2
Views: 847

CCR1036 interfaces dropping for 8 seconds

I've got two cloud core routers on the other side of the atlantic, and one of them is dropping out for 8.6 seconds at a time on average once an hour (but nowhere near metronomic -- it happened 3 times in the last 60 minutes) log print shows 12:44:04 interface,info sfp1 link down 12:44:04 interface,i...
by pwuk
Mon Jun 22, 2020 11:15 pm
Forum: General
Topic: SSTP and certificates
Replies: 1
Views: 612

SSTP and certificates

I've recent adopted a VPN solution, and upon reviewing it it seems they haven't installed any certificate, let alone a valid one, on the server. Am I right to think that sstp has the client send the username/password to the server, and thus is open to MITM attacks? They have about 120 clients on the...
by pwuk
Wed Jun 17, 2020 8:34 pm
Forum: Forwarding Protocols
Topic: Marking packets between mikrotik routers! [SOLVED]
Replies: 3
Views: 1480

Re: Marking packets between mikrotik routers! [SOLVED]

I see, so the traffic appears to come from the same public IP address whether it's from network A, or network B, and you want to deal with traffic from network B differently on the firewall You could use a mangle rule to change DSCP on each packet - set it to 1 from network A, 2 from network B, then...
by pwuk
Wed Jun 17, 2020 8:22 pm
Forum: Forwarding Protocols
Topic: Issue with establishing BGP
Replies: 1
Views: 478

Re: Issue with establishing BGP

You're attempting to peer with 172.22.245.109, but you don't have a route to that network. It's either supposed to be connected directly (say you are support to be 172.22.245.110, and there's a cable between the two routers), or you reach it via some other form of routing (statics, ospf, etc).
by pwuk
Wed Jun 17, 2020 8:20 pm
Forum: Forwarding Protocols
Topic: BGP routes won't get installed on CCR1072 [SOLVED]
Replies: 2
Views: 1226

Re: BGP routes won't get installed on CCR1072 [SOLVED]

It looks like you have added static routes to each network, via 10.0.99.42. These are being used as active routes because they have the lowest cost (1) Your BGP routes (ibgp) are not being installed into the routing table because the same destination (for example 10.103.0.0/22) is already available ...
by pwuk
Tue May 12, 2020 7:01 pm
Forum: Forwarding Protocols
Topic: WE NEED EIGRP
Replies: 39
Views: 17649

Re: WE NEED EIGRP

I came across this page the other day -- https://www.quora.com/How-are-EGP-and-IGP-different The author is a Principal Engineer at Cisco, working on BGP, so clearly he knows his routing "There is only one EGP protocol in use and it is BGP. The two common IGP protocols in use are OSPF and ISIS. ...
by pwuk
Tue May 12, 2020 6:21 pm
Forum: Forwarding Protocols
Topic: Multicast routing issue on RB3011
Replies: 1
Views: 1515

Re: Multicast routing issue on RB3011

I've seen Juniper SRXs silently dropping unicast traffic. I haven't got any concrete proof that mikrotiks are dropping packets silently, but I've suspected. I do know some routers - like the CCR1036 - are prone to reordering packets, especially when there are queue trees involved. I'm glad someone e...
by pwuk
Mon May 11, 2020 9:08 pm
Forum: Forwarding Protocols
Topic: BGP advertise smaller prefix than /24 [SOLVED]
Replies: 7
Views: 3835

Re: BGP advertise smaller prefix than /24 [SOLVED]

Just to confirm I advertise everything from /16 to /32 (and /0) via eBGP between many different ASs I do try to aggregate routes to /24s, but it's sometimes not possible. For example Incoming filter at one site /routing filter add action=accept chain=bgp-in-fromcore comment="From UK Path A"...
by pwuk
Tue Jan 28, 2020 1:34 pm
Forum: Forwarding Protocols
Topic: MIkrotik BGP Monitoring
Replies: 60
Views: 26339

Re: MIkrotik BGP Monitoring

Normally you can monitor BGP via SNMP walking 1.3.6.1.2.1.15.3.1.2, which returns the state (other oids are available) Mikrotik doesn't implement this, which seems crazy. I typically peer mikrotik-cisco or mikrotik-juniper and monitor on the cisco/juniper end, which does work. If you're peering mikr...
by pwuk
Fri Sep 06, 2019 2:54 pm
Forum: Forwarding Protocols
Topic: 2 WAN BGP failover
Replies: 6
Views: 3339

Re: 2 WAN BGP failover

First of all 10.10.... looks like is an Private IP, you cannot advertise them to BGP! Of course you can Here's one router I have # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADb 0.0.0.0/0 172.26.114.241 20 1 ADb 10.67.57.0/24 172.26.114.241 20 2 ADb 10.168.30.0/24 172.26.114.241 20 3 ADb 10.169.42.9/3...
by pwuk
Fri Sep 06, 2019 2:51 pm
Forum: Forwarding Protocols
Topic: UNABLE TO PING OVER EOIP TUNNEL
Replies: 4
Views: 2314

Re: UNABLE TO PING OVER EOIP TUNNEL

So on each router you have an eoip interface, a physical port, and a bridge that contains both?

I'm guessing there's no entry in the arp tables?
by pwuk
Thu Sep 05, 2019 10:54 am
Forum: Forwarding Protocols
Topic: 2 WAN BGP failover
Replies: 6
Views: 3339

Re: 2 WAN BGP failover

Route filters * Wan1-out -- set 10.10.2.0/24 to as-prepend of 2 * Wan2-out -- set 103.107.224.0/23 to as-prepend of 2 That would mean that incoming traffic would However for outgoing traffic I think you'd have to use routing marks if you only have one router, and from memory that involves using /rou...
by pwuk
Tue Mar 12, 2019 2:23 pm
Forum: Forwarding Protocols
Topic: nexthop unreachable via iBGP
Replies: 1
Views: 2048

nexthop unreachable via iBGP

I have a test network set up as a sqare A1 --- B1 | | A2 --- B2 A1 and A2 are in AS1 B1 and B2 are in AS2 Each link has a /30 p2p address A1 and A2 have an ibgp session between the two /30 IIPs B1 and B2 have an ibgp session A1 and B1 have an ebgp session with local pref of 100 A2 and B2 have an ebg...
by pwuk
Tue Jan 29, 2019 9:07 pm
Forum: Forwarding Protocols
Topic: iBGP and eBGP
Replies: 3
Views: 3042

Re: iBGP and eBGP

Thanks for this, > Another thing to note, how does your OSPF process learn the prefixes advertised from AS 65011? If the answer is redistribution of BGP into OSPF then you need to ensure you are redistributing with external type1, your post was really helpful in working out what's going on. I believ...
by pwuk
Tue Jan 08, 2019 7:16 pm
Forum: Forwarding Protocols
Topic: iBGP and eBGP
Replies: 3
Views: 3042

iBGP and eBGP

I have a network setup that looks like this https://tinyurl.com/ydx8e6db https://i.imgur.com/VQpqYny.png With Orange being OSPF, and Blue being eBGP. BGP has a cost of 20, and OSPF 110 I can use a variety of BGP tricks to force traffic from R11 to prefer going via R1 or R2 (local pref, med, ASpath p...
by pwuk
Mon Oct 01, 2018 8:07 pm
Forum: RouterBOARD hardware
Topic: 1100AHx4 loss
Replies: 1
Views: 677

1100AHx4 loss

I have a fairly complicated router config running on an 1100AHx4 on version 6.42.9. When I remove all the devices and just do laptop to laptop, port 4 (bridge) to port 11 (seperate bridge), via a srcnat, and some queue trees, and stream 290mbit of traffic via iperf from one side to another, it works...
by pwuk
Wed Jun 13, 2018 6:23 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 105295

Re: VPNfilter official statement

Certainly not the unix way {code} ~$ grep testu /etc/passwd testuser:x :1003:1003:,,,:/home/testuser:/bin/bash ~$ sudo userdel testuser ~$ grep testu /etc/passwd {code} But that's fine. The way the underlying file system isn't wiped on an upgrade does make me slightly more concerned about how the in...
by pwuk
Tue Jun 12, 2018 9:52 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 105295

Re: VPNfilter official statement

What architecture is your potentially compromised system? This was a in-house lab x86 system (non-production - but live Internet connected) system we sometimes used to ping to and btest to. Because it was not production and stand-alone , it had no firewalls on it. Interesting I have a similar box, ...
by pwuk
Tue Jun 12, 2018 1:53 pm
Forum: General
Topic: Load balancing and failover
Replies: 5
Views: 1010

Re: Load balancing and failover

Clearly if the bulk of your traffic is from one IP to another IP you can't balance it -- at least not without an ISP providing something like LACP or ECMP (and even then I believe it's good practice to send the same IP/port/src-dst down the same link to avoid reorders. I've not really used either pr...
by pwuk
Mon Jun 11, 2018 11:08 pm
Forum: General
Topic: Load balancing and failover
Replies: 5
Views: 1010

Re: Load balancing and failover

I think you could use something like: /ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=via_1 per-connection-classifier=dst-address:2/0 add action=mark-connection chain=prerouting new-connection-mark=via_2 per-connection-classifier=dst-address:2/1 add action=mark-ro...
by pwuk
Mon Jun 11, 2018 10:52 pm
Forum: General
Topic: x86_64 architecture
Replies: 2
Views: 778

Re: x86_64 architecture

I can confirm that applies to the x86 version in a VM (which had >7gb allocated)


Image


However the CHR version has no such limit


Image
by pwuk
Mon Jun 11, 2018 10:46 pm
Forum: General
Topic: Hardware Offload
Replies: 2
Views: 1299

Re: Hardware Offload

If you hardware the switching, does the bandwidth used shows up on the interface? Can you run packet captures on the traffic?
by pwuk
Mon Jun 11, 2018 10:42 pm
Forum: General
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 25147

Re: The security flaw for Hajime is closed by the firewall

The compromised port and were the vulnerability get into my router was API 8728. I got this because i'm checking dayly my routers, and the rules was placed 3 minutes before, and i got this in the log. the router that i have is a Lab router to catch this kind of issues: This is what i get in my log ...
by pwuk
Mon Jun 11, 2018 10:36 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 105295

Re: VPNfilter official statement

In looking into one of my possible compromised Mikrotik ROS systems, I see in the underlying vmlinuz ( compressed Linux kernel ) user dat file what appears to be two additional user accounts which are not visible in the Mikrotik user manager system. The two accounts in question are: admin b (as in ...
by pwuk
Thu May 24, 2018 9:33 pm
Forum: General
Topic: VPNFilter malware [SOLVED]
Replies: 9
Views: 11126

Re: VPNFilter malware [SOLVED]

Yes, that is to be expected, there was a vulnerability locked down in 6.40.8 "What's new in 6.40.8 (2018-Apr-23 11:34): !) winbox - fixed vulnerability that allowed to gain access to an unsecured router;" I wonder how that worked, and what "unsecured" means. As a rule I tend to ...
by pwuk
Thu May 24, 2018 8:18 pm
Forum: General
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 25147

Re: The security flaw for Hajime is closed by the firewall

That's rather funny! 1) Restore your config to a backup version before you got hacked, update the firmware to the latest version 2) Keep your firmware updtodate. Don't use an easy to guess password. 3) Block non-established input traffic from the internet, especially control traffic, unless you know...
by pwuk
Wed May 23, 2018 11:20 pm
Forum: RouterBOARD hardware
Topic: VPNFilter Malware
Replies: 8
Views: 6568

Re: VPNFilter Malware

We could guess and assume it's related to viewtopic.php?f=21&t=132499#p650812, as suggested in the other thread (viewtopic.php?f=2&t=134754&p=663554). It would be good to have that confirmed.
by pwuk
Tue Nov 14, 2017 7:28 pm
Forum: Beginner Basics
Topic: Multicast Stream Forwarding
Replies: 2
Views: 817

Re: Multicast Stream Forwarding

So you want to send multicast to subscribers who haven't actually subscribed to it?
by pwuk
Fri Nov 10, 2017 7:14 pm
Forum: Forwarding Protocols
Topic: ISP Network Extension to another city
Replies: 4
Views: 1310

Re: ISP Network Extension to another city

If you've been given a virtual ethernet cable then just treat it as if it was a real ethernet cable. There's a few protocols that may be stripped (but may not be - I've had both) -- lldp, LACP, etc, but the beauty of a layer 2 link is you can simply treat it as a 100km ethernet cable. The Tier-1 ISP...
by pwuk
Fri Nov 10, 2017 7:01 pm
Forum: Forwarding Protocols
Topic: Filtering OSPF originated links
Replies: 4
Views: 1526

Re: Filtering OSPF originated links

The entire network looks like https://i.imgur.com/eOzNLLE.png With Box 1 / 2 / 3 being able to plug into either Edge 1 or Edge 2 depending on the day (but not into both locations at the same time). Edge 1 or Edge 2 then advertises the box into the core. Edge1 advertises via BGP: * 192.168.1.0/24 * 1...
by pwuk
Fri Nov 10, 2017 2:29 pm
Forum: Forwarding Protocols
Topic: Filtering OSPF originated links
Replies: 4
Views: 1526

Filtering OSPF originated links

I have a typical router with multiple networks on 192.168.1.0/25 192.168.1.128/26 192.168.1.192/28 192.168.1.255/32 etc. This leads to a dozen or so routes advertised by OSPF, and this makes a messy routing table when there are 5 or 6 of these routers connected together. If I add a static route for ...
by pwuk
Wed Apr 09, 2014 7:39 pm
Forum: The Dude
Topic: The Dude - Windows -> Linux Migration
Replies: 8
Views: 4347

Re: The Dude - Windows -> Linux Migration

The application is using windows-style libraries, the core OS (e.g. the network stack) isn't though.
by pwuk
Sat Dec 21, 2013 8:49 am
Forum: General
Topic: ip reverse dns lookup
Replies: 3
Views: 9189

Re: ip reverse dns lookup

Sure (Private network on 192.168.81.254/24, local pc on .100, usual masquerading) Set up your router like this /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.81.100 name=mypc.me.com add address=192.168.81.254 name=myrouter.me.com Then run this on you...
by pwuk
Sat Dec 21, 2013 8:14 am
Forum: Forwarding Protocols
Topic: BGP and OSPF relative distances, am I doing it wrong?
Replies: 1
Views: 1029

Re: BGP and OSPF relative distances, am I doing it wrong?

OK, that was a dumb move. I'd set up the ebgp peering, but not the ibgp peering.

In a far better state now :oops:

I split AB and CD into two AS numbers, and got rid of OSPF on those 4. Kept EF as a single one. Peer from B-C, E-F, B-E and C-F. Routes all seem to work regardless of the failures.
by pwuk
Thu Dec 19, 2013 2:54 pm
Forum: Forwarding Protocols
Topic: BGP and OSPF relative distances, am I doing it wrong?
Replies: 1
Views: 1029

BGP and OSPF relative distances, am I doing it wrong?

I have two networks, which I want to join using BGP The first network consists of 4 routers, with ethernet /30 links in line A-B-C-D Call it AS 65501 They run OSPF, and all is well. I also have a large network running OSPF, with 2 routers, and gigabit connectivity, AS65500 E-F | | (various other bit...
by pwuk
Sun Dec 15, 2013 11:08 am
Forum: Scripting
Topic: remote ssh via script
Replies: 52
Views: 39359

Re: remote ssh via script

Well you get around the requirement for interaction and passwords by using ssh keys, however that doesn't help when you run the script from the scheduler Here's my script: add name=remotebackup policy=read,write,test source="/log info \"start backup\"; /log info \"Get R1\"; ...
by pwuk
Thu Jul 04, 2013 8:42 am
Forum: General
Topic: Stupid multicast question
Replies: 3
Views: 995

Stupid multicast question

I've never trusted multicast I'm afraid, so don't have any experience of how it's supposed to work, other than vague notions of magic. It would, however, simplify one project I'm working on I have 2 mikrotik 1100AHs, linked together with a single gigabit cable on ether1, making about 15 of the ports...
by pwuk
Tue Aug 21, 2012 10:19 am
Forum: Beginner Basics
Topic: Stupidly broke my rb1200
Replies: 3
Views: 1027

Re: Spuidly broke my rb1200

(I'm aware of the irony of the mis-spelt subject, I blame the jet lag)

So will that work when plugged into any of the ports?
by pwuk
Tue Aug 21, 2012 6:15 am
Forum: Beginner Basics
Topic: Stupidly broke my rb1200
Replies: 3
Views: 1027

Stupidly broke my rb1200

OK, I had a routerboard 1200 responding on eth1 to the IP 192.168.88.1 I accidentally dropped this interface, rendering the entire machine useless. I don't have a serial port on my laptop, let alone the inevitable mess of cables. Now I've booted with the reset button pressed, with the reset jumper s...
by pwuk
Wed Aug 01, 2012 8:59 pm
Forum: General
Topic: Forwarding UDP to 2 addresses
Replies: 0
Views: 458

Forwarding UDP to 2 addresses

Hi, I currently use a program called "samplicator" (http://code.google.com/p/samplicator/), to listen to UDP traffic coming in, and forward it onto multiple machines. Now this seems a bit of a waste of a computer, and the usual overhead of maintaining it. I'd like to ideally run something ...