MikroTik

pwuk

Bit the bullet and decided to upgrade+reboot

Couldn't copy files on to router, or download them.

Rebooted, and it came back (phew), with all my old user accounts, all fixed.

Perhaps disk was in read only mode or something.

pwuk

Yes, there's nothing in the "export terse" that's different to what it should be.

Be so much easier if I could physically go and prod the router (and replace it with one off the shelf)

pwuk

I have a CCR which my automatic backup user has stopped being able to ssh in The router sends syslog to a fairly local server, there's nothing in the log to show a problem before the system,error,critical login failure for user .... via ssh started appearing every half hour or so, exactly as I'd exp...

pwuk

Moved config onto identical router and got a local smarthand to move the cables down. The problem moved to the replacement hardware Disabled most recent bits of config like vrrp and a couple of vlans, problem remained Disabled all the device ports, leaving just the two links out. Problem vanished Br...

pwuk

I've got two cloud core routers on the other side of the atlantic, and one of them is dropping out for 8.6 seconds at a time on average once an hour (but nowhere near metronomic -- it happened 3 times in the last 60 minutes) log print shows 12:44:04 interface,info sfp1 link down 12:44:04 interface,i...

pwuk

I've recent adopted a VPN solution, and upon reviewing it it seems they haven't installed any certificate, let alone a valid one, on the server. Am I right to think that sstp has the client send the username/password to the server, and thus is open to MITM attacks? They have about 120 clients on the...

pwuk

I see, so the traffic appears to come from the same public IP address whether it's from network A, or network B, and you want to deal with traffic from network B differently on the firewall You could use a mangle rule to change DSCP on each packet - set it to 1 from network A, 2 from network B, then...

pwuk

You're attempting to peer with 172.22.245.109, but you don't have a route to that network. It's either supposed to be connected directly (say you are support to be 172.22.245.110, and there's a cable between the two routers), or you reach it via some other form of routing (statics, ospf, etc).

pwuk

It looks like you have added static routes to each network, via 10.0.99.42. These are being used as active routes because they have the lowest cost (1) Your BGP routes (ibgp) are not being installed into the routing table because the same destination (for example 10.103.0.0/22) is already available ...

pwuk

I came across this page the other day -- https://www.quora.com/How-are-EGP-and-IGP-different The author is a Principal Engineer at Cisco, working on BGP, so clearly he knows his routing "There is only one EGP protocol in use and it is BGP. The two common IGP protocols in use are OSPF and ISIS. ...

pwuk

I've seen Juniper SRXs silently dropping unicast traffic. I haven't got any concrete proof that mikrotiks are dropping packets silently, but I've suspected. I do know some routers - like the CCR1036 - are prone to reordering packets, especially when there are queue trees involved. I'm glad someone e...

pwuk

Just to confirm I advertise everything from /16 to /32 (and /0) via eBGP between many different ASs I do try to aggregate routes to /24s, but it's sometimes not possible. For example Incoming filter at one site /routing filter add action=accept chain=bgp-in-fromcore comment="From UK Path A"...

pwuk

Normally you can monitor BGP via SNMP walking 1.3.6.1.2.1.15.3.1.2, which returns the state (other oids are available) Mikrotik doesn't implement this, which seems crazy. I typically peer mikrotik-cisco or mikrotik-juniper and monitor on the cisco/juniper end, which does work. If you're peering mikr...

pwuk

First of all 10.10.... looks like is an Private IP, you cannot advertise them to BGP! Of course you can Here's one router I have # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADb 0.0.0.0/0 172.26.114.241 20 1 ADb 10.67.57.0/24 172.26.114.241 20 2 ADb 10.168.30.0/24 172.26.114.241 20 3 ADb 10.169.42.9/3...

pwuk

So on each router you have an eoip interface, a physical port, and a bridge that contains both?

I'm guessing there's no entry in the arp tables?

pwuk

Route filters * Wan1-out -- set 10.10.2.0/24 to as-prepend of 2 * Wan2-out -- set 103.107.224.0/23 to as-prepend of 2 That would mean that incoming traffic would However for outgoing traffic I think you'd have to use routing marks if you only have one router, and from memory that involves using /rou...

pwuk

I have a test network set up as a sqare A1 --- B1 | | A2 --- B2 A1 and A2 are in AS1 B1 and B2 are in AS2 Each link has a /30 p2p address A1 and A2 have an ibgp session between the two /30 IIPs B1 and B2 have an ibgp session A1 and B1 have an ebgp session with local pref of 100 A2 and B2 have an ebg...

pwuk

Thanks for this, > Another thing to note, how does your OSPF process learn the prefixes advertised from AS 65011? If the answer is redistribution of BGP into OSPF then you need to ensure you are redistributing with external type1, your post was really helpful in working out what's going on. I believ...

pwuk

I have a network setup that looks like this https://tinyurl.com/ydx8e6db https://i.imgur.com/VQpqYny.png With Orange being OSPF, and Blue being eBGP. BGP has a cost of 20, and OSPF 110 I can use a variety of BGP tricks to force traffic from R11 to prefer going via R1 or R2 (local pref, med, ASpath p...

pwuk

I have a fairly complicated router config running on an 1100AHx4 on version 6.42.9. When I remove all the devices and just do laptop to laptop, port 4 (bridge) to port 11 (seperate bridge), via a srcnat, and some queue trees, and stream 290mbit of traffic via iperf from one side to another, it works...

pwuk

Certainly not the unix way {code} ~$ grep testu /etc/passwd testuser:x :1003:1003:,,,:/home/testuser:/bin/bash ~$ sudo userdel testuser ~$ grep testu /etc/passwd {code} But that's fine. The way the underlying file system isn't wiped on an upgrade does make me slightly more concerned about how the in...

pwuk

What architecture is your potentially compromised system? This was a in-house lab x86 system (non-production - but live Internet connected) system we sometimes used to ping to and btest to. Because it was not production and stand-alone , it had no firewalls on it. Interesting I have a similar box, ...

pwuk

Clearly if the bulk of your traffic is from one IP to another IP you can't balance it -- at least not without an ISP providing something like LACP or ECMP (and even then I believe it's good practice to send the same IP/port/src-dst down the same link to avoid reorders. I've not really used either pr...

pwuk

I think you could use something like: /ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=via_1 per-connection-classifier=dst-address:2/0 add action=mark-connection chain=prerouting new-connection-mark=via_2 per-connection-classifier=dst-address:2/1 add action=mark-ro...

pwuk

I can confirm that applies to the x86 version in a VM (which had >7gb allocated)

However the CHR version has no such limit

pwuk

If you hardware the switching, does the bandwidth used shows up on the interface? Can you run packet captures on the traffic?

pwuk

The compromised port and were the vulnerability get into my router was API 8728. I got this because i'm checking dayly my routers, and the rules was placed 3 minutes before, and i got this in the log. the router that i have is a Lab router to catch this kind of issues: This is what i get in my log ...

pwuk

In looking into one of my possible compromised Mikrotik ROS systems, I see in the underlying vmlinuz ( compressed Linux kernel ) user dat file what appears to be two additional user accounts which are not visible in the Mikrotik user manager system. The two accounts in question are: admin b (as in ...

pwuk

Yes, that is to be expected, there was a vulnerability locked down in 6.40.8 "What's new in 6.40.8 (2018-Apr-23 11:34): !) winbox - fixed vulnerability that allowed to gain access to an unsecured router;" I wonder how that worked, and what "unsecured" means. As a rule I tend to ...

pwuk

That's rather funny! 1) Restore your config to a backup version before you got hacked, update the firmware to the latest version 2) Keep your firmware updtodate. Don't use an easy to guess password. 3) Block non-established input traffic from the internet, especially control traffic, unless you know...

pwuk

We could guess and assume it's related to viewtopic.php?f=21&t=132499#p650812, as suggested in the other thread (viewtopic.php?f=2&t=134754&p=663554). It would be good to have that confirmed.

pwuk

So you want to send multicast to subscribers who haven't actually subscribed to it?

pwuk

If you've been given a virtual ethernet cable then just treat it as if it was a real ethernet cable. There's a few protocols that may be stripped (but may not be - I've had both) -- lldp, LACP, etc, but the beauty of a layer 2 link is you can simply treat it as a 100km ethernet cable. The Tier-1 ISP...

pwuk

The entire network looks like https://i.imgur.com/eOzNLLE.png With Box 1 / 2 / 3 being able to plug into either Edge 1 or Edge 2 depending on the day (but not into both locations at the same time). Edge 1 or Edge 2 then advertises the box into the core. Edge1 advertises via BGP: * 192.168.1.0/24 * 1...

pwuk

I have a typical router with multiple networks on 192.168.1.0/25 192.168.1.128/26 192.168.1.192/28 192.168.1.255/32 etc. This leads to a dozen or so routes advertised by OSPF, and this makes a messy routing table when there are 5 or 6 of these routers connected together. If I add a static route for ...

pwuk

The application is using windows-style libraries, the core OS (e.g. the network stack) isn't though.

pwuk

Sure (Private network on 192.168.81.254/24, local pc on .100, usual masquerading) Set up your router like this /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.81.100 name=mypc.me.com add address=192.168.81.254 name=myrouter.me.com Then run this on you...

pwuk

OK, that was a dumb move. I'd set up the ebgp peering, but not the ibgp peering.

In a far better state now

I split AB and CD into two AS numbers, and got rid of OSPF on those 4. Kept EF as a single one. Peer from B-C, E-F, B-E and C-F. Routes all seem to work regardless of the failures.

pwuk

I have two networks, which I want to join using BGP The first network consists of 4 routers, with ethernet /30 links in line A-B-C-D Call it AS 65501 They run OSPF, and all is well. I also have a large network running OSPF, with 2 routers, and gigabit connectivity, AS65500 E-F | | (various other bit...

pwuk

Well you get around the requirement for interaction and passwords by using ssh keys, however that doesn't help when you run the script from the scheduler Here's my script: add name=remotebackup policy=read,write,test source="/log info \"start backup\"; /log info \"Get R1\"; ...

pwuk

I've never trusted multicast I'm afraid, so don't have any experience of how it's supposed to work, other than vague notions of magic. It would, however, simplify one project I'm working on I have 2 mikrotik 1100AHs, linked together with a single gigabit cable on ether1, making about 15 of the ports...

pwuk

(I'm aware of the irony of the mis-spelt subject, I blame the jet lag)

So will that work when plugged into any of the ports?

pwuk

OK, I had a routerboard 1200 responding on eth1 to the IP 192.168.88.1 I accidentally dropped this interface, rendering the entire machine useless. I don't have a serial port on my laptop, let alone the inevitable mess of cables. Now I've booted with the reset button pressed, with the reset jumper s...

pwuk

Hi, I currently use a program called "samplicator" (http://code.google.com/p/samplicator/), to listen to UDP traffic coming in, and forward it onto multiple machines. Now this seems a bit of a waste of a computer, and the usual overhead of maintaining it. I'd like to ideally run something ...

Search found 44 matches