Community discussions

Search found 31 matches

by pwuk
Fri Sep 06, 2019 2:54 pm
Forum: Forwarding Protocols
Topic: 2 WAN BGP failover
Replies: 6
Views: 728

Re: 2 WAN BGP failover

First of all 10.10.... looks like is an Private IP, you cannot advertise them to BGP! Of course you can Here's one router I have # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADb 0.0.0.0/0 172.26.114.241 20 1 ADb 10.67.57.0/24 172.26.114.241 20 2 ADb 10.168.30.0/24 172.26.114.241 20 3 ADb 10.169.42.9/3...
by pwuk
Fri Sep 06, 2019 2:51 pm
Forum: Forwarding Protocols
Topic: UNABLE TO PING OVER EOIP TUNNEL
Replies: 4
Views: 372

Re: UNABLE TO PING OVER EOIP TUNNEL

So on each router you have an eoip interface, a physical port, and a bridge that contains both?

I'm guessing there's no entry in the arp tables?
by pwuk
Thu Sep 05, 2019 10:54 am
Forum: Forwarding Protocols
Topic: 2 WAN BGP failover
Replies: 6
Views: 728

Re: 2 WAN BGP failover

Route filters * Wan1-out -- set 10.10.2.0/24 to as-prepend of 2 * Wan2-out -- set 103.107.224.0/23 to as-prepend of 2 That would mean that incoming traffic would However for outgoing traffic I think you'd have to use routing marks if you only have one router, and from memory that involves using /rou...
by pwuk
Tue Mar 12, 2019 2:23 pm
Forum: Forwarding Protocols
Topic: nexthop unreachable via iBGP
Replies: 1
Views: 316

nexthop unreachable via iBGP

I have a test network set up as a sqare A1 --- B1 | | A2 --- B2 A1 and A2 are in AS1 B1 and B2 are in AS2 Each link has a /30 p2p address A1 and A2 have an ibgp session between the two /30 IIPs B1 and B2 have an ibgp session A1 and B1 have an ebgp session with local pref of 100 A2 and B2 have an ebg...
by pwuk
Tue Jan 29, 2019 9:07 pm
Forum: Forwarding Protocols
Topic: iBGP and eBGP
Replies: 3
Views: 720

Re: iBGP and eBGP

Thanks for this, > Another thing to note, how does your OSPF process learn the prefixes advertised from AS 65011? If the answer is redistribution of BGP into OSPF then you need to ensure you are redistributing with external type1, your post was really helpful in working out what's going on. I believ...
by pwuk
Tue Jan 08, 2019 7:16 pm
Forum: Forwarding Protocols
Topic: iBGP and eBGP
Replies: 3
Views: 720

iBGP and eBGP

I have a network setup that looks like this https://tinyurl.com/ydx8e6db https://i.imgur.com/VQpqYny.png With Orange being OSPF, and Blue being eBGP. BGP has a cost of 20, and OSPF 110 I can use a variety of BGP tricks to force traffic from R11 to prefer going via R1 or R2 (local pref, med, ASpath p...
by pwuk
Mon Oct 01, 2018 8:07 pm
Forum: RouterBOARD hardware
Topic: 1100AHx4 loss
Replies: 1
Views: 368

1100AHx4 loss

I have a fairly complicated router config running on an 1100AHx4 on version 6.42.9. When I remove all the devices and just do laptop to laptop, port 4 (bridge) to port 11 (seperate bridge), via a srcnat, and some queue trees, and stream 290mbit of traffic via iperf from one side to another, it works...
by pwuk
Wed Jun 13, 2018 6:23 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 77521

Re: VPNfilter official statement

Certainly not the unix way {code} ~$ grep testu /etc/passwd testuser:x :1003:1003:,,,:/home/testuser:/bin/bash ~$ sudo userdel testuser ~$ grep testu /etc/passwd {code} But that's fine. The way the underlying file system isn't wiped on an upgrade does make me slightly more concerned about how the in...
by pwuk
Tue Jun 12, 2018 9:52 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 77521

Re: VPNfilter official statement

What architecture is your potentially compromised system? This was a in-house lab x86 system (non-production - but live Internet connected) system we sometimes used to ping to and btest to. Because it was not production and stand-alone , it had no firewalls on it. Interesting I have a similar box, ...
by pwuk
Tue Jun 12, 2018 1:53 pm
Forum: General
Topic: Load balancing and failover
Replies: 5
Views: 524

Re: Load balancing and failover

Clearly if the bulk of your traffic is from one IP to another IP you can't balance it -- at least not without an ISP providing something like LACP or ECMP (and even then I believe it's good practice to send the same IP/port/src-dst down the same link to avoid reorders. I've not really used either pr...
by pwuk
Mon Jun 11, 2018 11:08 pm
Forum: General
Topic: Load balancing and failover
Replies: 5
Views: 524

Re: Load balancing and failover

I think you could use something like: /ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=via_1 per-connection-classifier=dst-address:2/0 add action=mark-connection chain=prerouting new-connection-mark=via_2 per-connection-classifier=dst-address:2/1 add action=mark-ro...
by pwuk
Mon Jun 11, 2018 10:52 pm
Forum: General
Topic: x86_64 architecture
Replies: 2
Views: 415

Re: x86_64 architecture

I can confirm that applies to the x86 version in a VM (which had >7gb allocated)


Image


However the CHR version has no such limit


Image
by pwuk
Mon Jun 11, 2018 10:46 pm
Forum: General
Topic: Hardware Offload
Replies: 2
Views: 810

Re: Hardware Offload

If you hardware the switching, does the bandwidth used shows up on the interface? Can you run packet captures on the traffic?
by pwuk
Mon Jun 11, 2018 10:42 pm
Forum: General
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 16965

Re: The security flaw for Hajime is closed by the firewall

The compromised port and were the vulnerability get into my router was API 8728. I got this because i'm checking dayly my routers, and the rules was placed 3 minutes before, and i got this in the log. the router that i have is a Lab router to catch this kind of issues: This is what i get in my log ...
by pwuk
Mon Jun 11, 2018 10:36 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 191
Views: 77521

Re: VPNfilter official statement

In looking into one of my possible compromised Mikrotik ROS systems, I see in the underlying vmlinuz ( compressed Linux kernel ) user dat file what appears to be two additional user accounts which are not visible in the Mikrotik user manager system. The two accounts in question are: admin b (as in ...
by pwuk
Thu May 24, 2018 9:33 pm
Forum: General
Topic: VPNFilter malware [SOLVED]
Replies: 9
Views: 9590

Re: VPNFilter malware [SOLVED]

Yes, that is to be expected, there was a vulnerability locked down in 6.40.8 "What's new in 6.40.8 (2018-Apr-23 11:34): !) winbox - fixed vulnerability that allowed to gain access to an unsecured router;" I wonder how that worked, and what "unsecured" means. As a rule I tend to have the following c...
by pwuk
Thu May 24, 2018 8:18 pm
Forum: General
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 16965

Re: The security flaw for Hajime is closed by the firewall

That's rather funny! 1) Restore your config to a backup version before you got hacked, update the firmware to the latest version 2) Keep your firmware updtodate. Don't use an easy to guess password. 3) Block non-established input traffic from the internet, especially control traffic, unless you know...
by pwuk
Wed May 23, 2018 11:20 pm
Forum: RouterBOARD hardware
Topic: VPNFilter Malware
Replies: 8
Views: 5075

Re: VPNFilter Malware

We could guess and assume it's related to viewtopic.php?f=21&t=132499#p650812, as suggested in the other thread (viewtopic.php?f=2&t=134754&p=663554). It would be good to have that confirmed.
by pwuk
Tue Nov 14, 2017 7:28 pm
Forum: Beginner Basics
Topic: Multicast Stream Forwarding
Replies: 2
Views: 424

Re: Multicast Stream Forwarding

So you want to send multicast to subscribers who haven't actually subscribed to it?
by pwuk
Fri Nov 10, 2017 7:14 pm
Forum: Forwarding Protocols
Topic: ISP Network Extension to another city
Replies: 4
Views: 891

Re: ISP Network Extension to another city

If you've been given a virtual ethernet cable then just treat it as if it was a real ethernet cable. There's a few protocols that may be stripped (but may not be - I've had both) -- lldp, LACP, etc, but the beauty of a layer 2 link is you can simply treat it as a 100km ethernet cable. The Tier-1 ISP...
by pwuk
Fri Nov 10, 2017 7:01 pm
Forum: Forwarding Protocols
Topic: Filtering OSPF originated links
Replies: 4
Views: 767

Re: Filtering OSPF originated links

The entire network looks like https://i.imgur.com/eOzNLLE.png With Box 1 / 2 / 3 being able to plug into either Edge 1 or Edge 2 depending on the day (but not into both locations at the same time). Edge 1 or Edge 2 then advertises the box into the core. Edge1 advertises via BGP: * 192.168.1.0/24 * 1...
by pwuk
Fri Nov 10, 2017 2:29 pm
Forum: Forwarding Protocols
Topic: Filtering OSPF originated links
Replies: 4
Views: 767

Filtering OSPF originated links

I have a typical router with multiple networks on 192.168.1.0/25 192.168.1.128/26 192.168.1.192/28 192.168.1.255/32 etc. This leads to a dozen or so routes advertised by OSPF, and this makes a messy routing table when there are 5 or 6 of these routers connected together. If I add a static route for ...
by pwuk
Wed Apr 09, 2014 7:39 pm
Forum: The Dude
Topic: The Dude - Windows -> Linux Migration
Replies: 8
Views: 3824

Re: The Dude - Windows -> Linux Migration

The application is using windows-style libraries, the core OS (e.g. the network stack) isn't though.
by pwuk
Sat Dec 21, 2013 8:49 am
Forum: General
Topic: ip reverse dns lookup
Replies: 3
Views: 6484

Re: ip reverse dns lookup

Sure (Private network on 192.168.81.254/24, local pc on .100, usual masquerading) Set up your router like this /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.81.100 name=mypc.me.com add address=192.168.81.254 name=myrouter.me.com Then run this on you...
by pwuk
Sat Dec 21, 2013 8:14 am
Forum: Forwarding Protocols
Topic: BGP and OSPF relative distances, am I doing it wrong?
Replies: 1
Views: 802

Re: BGP and OSPF relative distances, am I doing it wrong?

OK, that was a dumb move. I'd set up the ebgp peering, but not the ibgp peering.

In a far better state now :oops:

I split AB and CD into two AS numbers, and got rid of OSPF on those 4. Kept EF as a single one. Peer from B-C, E-F, B-E and C-F. Routes all seem to work regardless of the failures.
by pwuk
Thu Dec 19, 2013 2:54 pm
Forum: Forwarding Protocols
Topic: BGP and OSPF relative distances, am I doing it wrong?
Replies: 1
Views: 802

BGP and OSPF relative distances, am I doing it wrong?

I have two networks, which I want to join using BGP The first network consists of 4 routers, with ethernet /30 links in line A-B-C-D Call it AS 65501 They run OSPF, and all is well. I also have a large network running OSPF, with 2 routers, and gigabit connectivity, AS65500 E-F | | (various other bit...
by pwuk
Sun Dec 15, 2013 11:08 am
Forum: Scripting
Topic: remote ssh via script
Replies: 52
Views: 30601

Re: remote ssh via script

Well you get around the requirement for interaction and passwords by using ssh keys, however that doesn't help when you run the script from the scheduler Here's my script: add name=remotebackup policy=read,write,test source="/log info \"start backup\"; /log info \"Get R1\"; /system ssh 1.2.3.4 user=...
by pwuk
Thu Jul 04, 2013 8:42 am
Forum: General
Topic: Stupid multicast question
Replies: 3
Views: 798

Stupid multicast question

I've never trusted multicast I'm afraid, so don't have any experience of how it's supposed to work, other than vague notions of magic. It would, however, simplify one project I'm working on I have 2 mikrotik 1100AHs, linked together with a single gigabit cable on ether1, making about 15 of the ports...
by pwuk
Tue Aug 21, 2012 10:19 am
Forum: Beginner Basics
Topic: Stupidly broke my rb1200
Replies: 3
Views: 764

Re: Spuidly broke my rb1200

(I'm aware of the irony of the mis-spelt subject, I blame the jet lag)

So will that work when plugged into any of the ports?
by pwuk
Tue Aug 21, 2012 6:15 am
Forum: Beginner Basics
Topic: Stupidly broke my rb1200
Replies: 3
Views: 764

Stupidly broke my rb1200

OK, I had a routerboard 1200 responding on eth1 to the IP 192.168.88.1 I accidentally dropped this interface, rendering the entire machine useless. I don't have a serial port on my laptop, let alone the inevitable mess of cables. Now I've booted with the reset button pressed, with the reset jumper s...
by pwuk
Wed Aug 01, 2012 8:59 pm
Forum: General
Topic: Forwarding UDP to 2 addresses
Replies: 0
Views: 298

Forwarding UDP to 2 addresses

Hi, I currently use a program called "samplicator" (http://code.google.com/p/samplicator/), to listen to UDP traffic coming in, and forward it onto multiple machines. Now this seems a bit of a waste of a computer, and the usual overhead of maintaining it. I'd like to ideally run something on a route...