Community discussions

Search found 171 matches

by BlackVS
Wed Apr 03, 2019 2:55 pm
Forum: Scripting
Topic: Strange problem with address-list and scripting
Replies: 2
Views: 472

Re: Strange problem with address-list and scripting

One notice - tool fetch asynchoronous i.e. returns immediately but not wait until download finished.
Download is done in background.
As variant you importing files which not yet fully downloaded...
To check this just addd something like:
delay 10s
after last tool fetch
by BlackVS
Wed Apr 03, 2019 2:50 pm
Forum: Scripting
Topic: macros bug [SOLVED]
Replies: 14
Views: 1698

Re: macros bug [SOLVED]

Works in my case (the same result as in Chupaka) - CCR1009, the last firmware. Just copied your code in script called test_if and called it from terminal.
by BlackVS
Wed Apr 03, 2019 2:27 pm
Forum: Scripting
Topic: Write IP to log
Replies: 4
Views: 383

Re: Write IP to log

Reason - ccr1009 and rb4011 are much faster comparing to Hex %)) Tool fetch call in not synchronous i.e. returns immedeatly and url connected in background. I.e. you should wait after "fetch" until file downloaded. How long... who knows %) In my scripts I do in more complicated way - redirecting out...
by BlackVS
Wed Apr 03, 2019 12:01 pm
Forum: Scripting
Topic: RouterOs Api Script [SOLVED]
Replies: 2
Views: 440

Re: RouterOs Api Script [SOLVED]

Try remove by id not by name. In terminal of WinBox /ip hotspot cookie remove ? I see Remove specified item (or several items). <numbers> -- List of item numbers i.e. very probably it needs numbers i.e. I think ids, something like $API->write('=.id=*ABCDEF'); Sure you need find value of field ".id" ...
by BlackVS
Wed Apr 03, 2019 11:33 am
Forum: Scripting
Topic: Get a list of all address-list
Replies: 4
Views: 409

Re: Get a list of all address-list

#trick to create empty array :local addrcnt [:toarray ""] :foreach id in=[/ip firewall address-list find] do={ :local rec [/ip firewall address-list get $id] :local listname ($rec->"list") :set ($addrcnt->"$listname") ($addrcnt->"$listname"+1) #:put ($addrcnt->"$listname") } :foreach k,v in=$addrcn...
by BlackVS
Fri Mar 29, 2019 12:49 pm
Forum: Scripting
Topic: API Links
Replies: 123
Views: 83264

Re: API Links

One more Python API (still beta but functional) : https://github.com/BlackVS/smartROS (some description in Russian) Is developed for my own needs. Main features: TLS+ADH / TLS+certificates connection supported routers' credentials stored in config file human readable conditions (see below) logging t...
by BlackVS
Thu Oct 04, 2018 9:29 am
Forum: Scripting
Topic: "/tool fetch output=user" Example? [SOLVED]
Replies: 3
Views: 1440

Re: "/tool fetch output=user" Example? [SOLVED]

It would be great to allow suppress annoying hard-coded messaging regarding each fetch operation to router's log (i.e. if you have script which fetching each ten seconds - now you get each 10 seconds info message in the log... as result log is full such messages which masking the rest ones). It is t...
by BlackVS
Thu Jul 26, 2018 7:56 pm
Forum: Beginner Basics
Topic: IPsec, GRE, gre over IPsec and IPsec over GRE
Replies: 2
Views: 1095

Re: IPsec, GRE, gre over IPsec and IPsec over GRE

ipsec over gre, when we encrypt packet with ipsec and send it via gre gre over ipsec - i don't know what for. ipsec over gre - ipsec packet encapsulated into the GRE i.e. GRE outer header added to the ipsec packets gre over ipsec - GRE packets encapsulated into ipsec i.e. GRE packets encrypted by i...
by BlackVS
Fri Feb 23, 2018 3:25 pm
Forum: General
Topic: Low performance over EOIP tunnel
Replies: 11
Views: 3181

Re: Low performance over EOIP tunnel

In both side I added a mangle rule like that 1 chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp log=no log-prefix="" and it doesn't make no difference. It doesn't make difference for UDP (I see UDP on second screenshot) due tcp clamp is tcp clamp.
by BlackVS
Mon Feb 19, 2018 7:15 pm
Forum: General
Topic: What is the best P2P VPN solution for RB2011
Replies: 2
Views: 432

Re: What is the best P2P VPN solution for RB2011

You question contain answer. Any 128-bit encrypting will allow faster connection, any higher will decrease performance drammatically. It is no big difference which concrete protocol to use, makes difference only encryption due to RB2011 do it only via CPU. Some higher throughout will be with p2tp/op...
by BlackVS
Sun Feb 18, 2018 7:24 pm
Forum: Scripting
Topic: Telegram BlackVS modified script
Replies: 7
Views: 3013

Re: Telegram BlackVS modified script

Cool!
One question - what size of $telegram variable is?
Due to I thought variables in ROS could not exceed 4096 bytes... ( https://wiki.mikrotik.com/wiki/Manual:S ... #Variables )
by BlackVS
Wed Feb 14, 2018 1:06 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

Any idea how to build string for telegram message (new line and etc,,..), for example I would like to do foreach on every hotspot active connection create $str and send it by telegram message... Check tg_cmd_health code for multi-line. If shortly - new line is coded as "%0A" not "\n". It is from UR...
by BlackVS
Wed Feb 14, 2018 1:01 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

Everything working... I modified your script...
This forum needs "Like" button %) Good job!
by BlackVS
Wed Feb 14, 2018 12:56 pm
Forum: General
Topic: Traffic balancing
Replies: 2
Views: 347

Re: Traffic balancing

My router is configured to 2 gateways which one of them is only for backup. (I use check-gateway in route table) I.e both default routes with same metric? Copy here you route table (screenshot or /ip route print). Then, if I start some new connection on other PC it does not balance the traffic betw...
by BlackVS
Tue Feb 13, 2018 1:07 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

I'm trying to make telegram available by global (enviroment), This is the complete script: tgSendMessage work from mikrotik's terminal command line, But from another script it's not running :\ Any idea why? How do you call another script - from terminal manualy or , for example, via scheduler? If f...
by BlackVS
Tue Feb 13, 2018 12:57 pm
Forum: Scripting
Topic: VPN channels switcher (one more fail-over script)
Replies: 0
Views: 460

VPN channels switcher (one more fail-over script)

Hi All, here is one more example of channels switching (fail-over), Multi-VPN switcher, see attach. Can be useful for scripting funs. And may be also for switching VPN channels %) https://www.mikrotik-club.in.ua/2018/02/13/multi-vpn-channels-switcher-failover/ (in Russian) 1. Import and set/tune par...
by BlackVS
Tue Feb 13, 2018 8:35 am
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

Command must start from /,
i.e "/hi" but not "hi".
Also this command should be set for you bot via @BotFarther's /setcommands.
PS: sample commands done in lowercase, i.e "/hi", not "/Hi". Case makes difference too.
by BlackVS
Wed Feb 07, 2018 2:02 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

is it possible to send command via telegram then execute in RouterBOARD?
yes
by BlackVS
Wed Feb 07, 2018 2:00 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

Fendi Kurniawan
ambiguous value of value-name, more than one possible value matches input
Have you use the last version (see viewtopic.php?f=9&t=128394#p631125 )?
by BlackVS
Tue Feb 06, 2018 7:16 am
Forum: General
Topic: Sent/Received traffic
Replies: 3
Views: 493

Re: Sent/Received traffic

1. Statictics on interfaces cleared after reboot. 2. Correct way is use netflow (i.e.IP/Traffic Flow + something like ntopng/mrtg/prtg/cacti etc) 3. But for rough statistic some scripting can be done, like https://wiki.mikrotik.com/wiki/Scripts/Automated_Usage_Script_without_usermanager or more adva...
by BlackVS
Tue Feb 06, 2018 7:11 am
Forum: Beginner Basics
Topic: ccr1009-7g-1c-1s+ multiple wans
Replies: 2
Views: 564

Re: ccr1009-7g-1c-1s+ multiple wans

Yes, possible. In many ways - https://wiki.mikrotik.com/wiki/Load_Balancing Which way to use - depends on that exactly you want. Simplest - PCC. ECMP - don't use ECMP default gates (i.e. few gates with same metric), exist some negative "effects". Bonding, OSPF, BGP - needs access to devices on oppos...
by BlackVS
Mon Feb 05, 2018 8:41 am
Forum: Beginner Basics
Topic: IPSEC Tunnel slow as death
Replies: 4
Views: 2816

Re: IPSEC Tunnel slow as death

I just setup an ipsec site to site tunnel and my connection is super slow. I have a 1Gbps fiber optic connection between point a and b. I think I have messed up in NAT someplace. Any guidance would be helpful Which routers do you use? Super slow - it is 1M, 10M, 100M? Very probably you device (Hap ...
by BlackVS
Mon Feb 05, 2018 8:29 am
Forum: Scripting
Topic: Using loop functions in rsc-files
Replies: 4
Views: 497

Re: Using loop functions in rsc-files

Hey guys,
quick question here.
I'm using rsc-files to configure my devices. Now when i try to use loop statements in the file, it won't load.
Is it generally not possible to use loops or am i doing something wrong?

Thanks a million in advance
J.
put your script here
by BlackVS
Mon Feb 05, 2018 8:22 am
Forum: General
Topic: Built in Email Variable
Replies: 2
Views: 383

Re: Built in Email Variable

Run in terminal:
:put [/tool e-mail get from]
i.e. you need just read property "from" and use it.
To see available properties for e-mail run in terminal:
:put [/tool e-mail get]
by BlackVS
Sun Jan 07, 2018 4:47 pm
Forum: Scripting
Topic: How do I reference array using variable?
Replies: 2
Views: 624

Re: How do I reference array using variable?

A) ROS not supports dynamic names for variable
B) but you can use script from script trick as here - viewtopic.php?f=9&t=125253&p=617239#p617239
by BlackVS
Thu Jan 04, 2018 11:15 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76638

Re: v6.41 [current]

Probably known problem with discovery - do any from listed below: Found a first anomaly: Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work. After list deletion and recreation by hand, it works. The same. After disabling...
by BlackVS
Thu Jan 04, 2018 11:08 am
Forum: RouterBOARD hardware
Topic: CCR1009-7G IPSec performance
Replies: 9
Views: 2792

Re: CCR1009-7G IPSec performance

Do you run with default settings (aes128-cbc and sha1) or did you select other options (that may be slower or not HW accelerated)? BTW, the abovementioned "issue with IPsec hardware acceleration" has been fixed. Fixed but partially. In my case software enabled IPSEC (AES-256 CTR) still faster compa...
by BlackVS
Thu Jan 04, 2018 10:56 am
Forum: General
Topic: Error on log - running out of disk space
Replies: 4
Views: 4314

Re: Error on log - running out of disk space

A) Insert SD-card or USB flash drive and switch logging to it. Don't use internal flash for temp/log/dude/etc files - or you can be surprised by dead device due to internal flash failure... B) some devices from Mikrotik have minimal size internal flash drives (like 16M on Hap AC) - just to able to f...
by BlackVS
Tue Jan 02, 2018 6:48 pm
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76638

Re: v6.41 [current]

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.
The same. After disabling-enabling all "discover" list items started to work...
by BlackVS
Thu Dec 28, 2017 4:55 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

Before last command in tg_SendMessage insert debug command:

:put $url

(or :log $url) and check URL composed by this script.
As variant - wrong botID or chatID.
by BlackVS
Tue Dec 12, 2017 3:59 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

You can try parse log like here - viewtopic.php?t=125097
by BlackVS
Sat Dec 09, 2017 5:48 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

Nice job .. i Already did it for my MT :local sub1 ([/system identity get name]) :local sub2 ([/system clock get time]) :if ([/ping 8.8.8.8 count=5] = 0) do= { / tool fetch "https://api.telegram.org/botXXXXXXXX/sendMessage?chat_id=-XXXXXXXX&text=($sub1) Can Not Ping Google at $sub2 " :log warning "...
by BlackVS
Sat Dec 09, 2017 5:45 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

hi tanks What does this line mean? \n\"trusted\"=\"AAAAAAAAA,BBBBBBBBB,CCCCCCCCC\";\r\ what is trusted It is string of comma separated list of ids of trusted sources. I.e. it is who can send commands to Telegram bot. If its is only you - when it is your Telegram id (not username!) in double quotes ...
by BlackVS
Wed Dec 06, 2017 2:25 pm
Forum: Scripting
Topic: Multiple Files in one e-mail.
Replies: 9
Views: 4893

Re: Multiple Files in one e-mail.

:local files {$backupconf;$backuplog} /tool e-mail send to="vvs@somewhere.com" subject="$[/system identity get name]-$[/system clock get time] Backup Configuration & Log - SBB-Optic" file=$files sends two files!!! Why - I don't know. Because wiki clearly says (https://wiki.mikrotik.com/wiki/Manual:...
by BlackVS
Wed Dec 06, 2017 2:22 pm
Forum: Scripting
Topic: Send files via e-mail [SOLVED]
Replies: 4
Views: 1000

Re: Send files via e-mail [SOLVED]

Hm, https://forum.mikrotik.com/viewtopic.php?t=40650 It is crazy due to in wiki it is clearly said that it should be " list of comma separated "... BUT!!!! :local backupconf "$[/system identity get name]-$[/system clock get time]-CONF.backup" :local backuplog "$[/system identity get name]-$[/system ...
by BlackVS
Wed Dec 06, 2017 10:57 am
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

tg_getUpdates fix - added correct processing of case when username, first_name, last_name of sender all are not filled or not exist. :global TGLASTMSGID :global TGLASTUPDID :local fconfig [:parse [/system script get tg_config source]] :local http [:parse [/system script get func_fetch source]] :loca...
by BlackVS
Wed Dec 06, 2017 10:44 am
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

What was value of $from ? mode=Markdown just means that you can do simple formatting ( https://core.telegram.org/bots/api#markdown-style ) Has your account has filled first_name, last_name or username? Or all them are empty? But in any case I should add detection of "inkognito" accounts, thanks for ...
by BlackVS
Wed Dec 06, 2017 9:40 am
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

/health works perfect but /hi does not When you add commands to bot (/setcommands) - you pushed Shift-Enter after first line or just Enter? If just Enter - it remembered only one command. It is little bit crazy but I do /setcommands dozen times until I realized that lines should be separated by Shi...
by BlackVS
Wed Dec 06, 2017 7:42 am
Forum: Scripting
Topic: Send files via e-mail [SOLVED]
Replies: 4
Views: 1000

Re: Send files via e-mail [SOLVED]

https://wiki.mikrotik.com/wiki/Manual:Tools/email

file (File[,File]; Default: ) List of the file names that will be attached to the mail separated by comma.
I.e. not "file=AAA file=BBB" but "file=AAA,BBB"
by BlackVS
Wed Dec 06, 2017 7:15 am
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

tg: Load config status: failed failure: closing connection: <400 Bad Request> 149.154.167.199:443 (5) after running this /system script run tg_getUpdates It seems to be wrong values in tg_config. Before error it should show your line like /tool fetch dst-path="disk1/tg_get_updates.txt" url="https:/...
by BlackVS
Wed Dec 06, 2017 7:10 am
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Re: Mikrotik and Telegram

Can you describe the configuration options of your script exactly. I mean the telegram configuration $config. Where to download all the required variables. 1. First you need install Telegram and create your account. 2. Next - get your Telegram id (it is not username. ID - it is a number). To get it...
by BlackVS
Tue Dec 05, 2017 5:42 pm
Forum: Scripting
Topic: Mikrotik and Telegram
Replies: 38
Views: 14813

Mikrotik and Telegram

Hi, here are scripts to work with Telegram (see attach). To use scripts: 1. Unpack .rsc file and import it to router, you should see next scripts in System->Scripts: func_fetch – wrapper for /tool fetch tg_config – config tg_getUpdates – check Telegram for updates and run command scripts tg_sendMess...
by BlackVS
Mon Dec 04, 2017 5:28 pm
Forum: Scripting
Topic: If condition in array [SOLVED]
Replies: 1
Views: 472

Re: If condition in array [SOLVED]

Use "find" ( https://wiki.mikrotik.com/wiki/Manual:Scripting#Operators ) One notice - if no element found find returns no value (i.e. value of type nil) :local arr {10;20;30;40} :put "Array is:" :put $arr :local values {10;15;30;45} :foreach v in=$values do={ :local p [:find $arr $v] :if ([:type $p]...
by BlackVS
Fri Nov 10, 2017 10:30 am
Forum: Beginner Basics
Topic: GRE tunnel with ipsec secret
Replies: 20
Views: 4210

Re: GRE tunnel with ipsec secret

1. ROS version on both routers is the same? 2. Check and copy here dynamic rules created in the IP/IPSEC . I remember that GRE channels with "password" not started in my case too (it was a long time ago - as only such ability added to GRE channels) - I just created proper ipsec static rules instead ...
by BlackVS
Wed Nov 01, 2017 5:36 pm
Forum: General
Topic: Disk full
Replies: 12
Views: 3252

Re: Disk full

We think that this is not a flash memory problem, but a mikrotik! Does overflow of flash memory lead to loss of all data? Where did you see this ext3/linux? Why there is no reserve for system functions? Dear mikrotik, maybe need some fix? Regarding ext3/linux - 1. ROS built on Linux, it is well kno...
by BlackVS
Wed Nov 01, 2017 10:19 am
Forum: Scripting
Topic: Script Backup
Replies: 5
Views: 715

Re: Script Backup

To send via email - yes, it can be easily added to my script (or any similar scripts can be used from https://wiki.mikrotik.com/wiki/Scripts , for example: https://wiki.mikrotik.com/wiki/Send_Backup_email How to get backups externally - https://wiki.mikrotik.com/wiki/BackupROS_(Centralized_Backups)_...
by BlackVS
Wed Nov 01, 2017 10:10 am
Forum: Scripting
Topic: Dates manipulation module
Replies: 3
Views: 1195

Dates manipulation module

Hi All, in the result of discussion in https://forum.mikrotik.com/viewtopic.php?f=9&t=127050 module for dates manipulations was born (see attach). Dates manipulations are done in format "jan/01/1970" Module contains next functions: func_datetime2str – generates string from date and time func_cmp2dat...
by BlackVS
Tue Oct 31, 2017 5:11 pm
Forum: Scripting
Topic: Script Backup
Replies: 5
Views: 715

Re: Script Backup

email or external server getting backup file via ssh/telnet
by BlackVS
Tue Oct 31, 2017 11:19 am
Forum: Scripting
Topic: script to calculate next date [SOLVED]
Replies: 12
Views: 3240

Re: script to calculate next date [SOLVED]

You read my mind %)
Yes, sure.
Also I'm planning to add dates comparison (<,>,==) and subtraction of dates (i.e. how much days between dates) to have full date arithmetic.
by BlackVS
Tue Oct 31, 2017 7:19 am
Forum: Scripting
Topic: script to calculate next date [SOLVED]
Replies: 12
Views: 3240

Re: script to calculate next date [SOLVED]

:put - outputs result to terminal, not to log :log - outputs to log, not to terminal. In your example you outputs new date to terminal and try output function's parsed code to log. That you see (code) in log. If you wish insert any calculations\functions call into the string you must use "$[calculat...
by BlackVS
Mon Oct 30, 2017 4:41 pm
Forum: Scripting
Topic: script to calculate next date [SOLVED]
Replies: 12
Views: 3240

Re: script to calculate next date [SOLVED]

Hm...
Just create new script named func_shiftDate , insert into it code from above and call this script from you script as function.
https://wiki.mikrotik.com/wiki/Manual:S ... #Functions
by BlackVS
Mon Oct 30, 2017 11:04 am
Forum: General
Topic: Disk full
Replies: 12
Views: 3252

Re: Disk full

1. External SD-Card/USB Flash drive must be formated first - https://wiki.mikrotik.com/wiki/Manual:System/Disks (due to just bought sd-cards/flash drives usually pre-formatted as FAT32, Mikrotik needs ext3). 2. You can't delete existing files due to they locked by running Dude. Stop Dude and then tr...
by BlackVS
Mon Oct 30, 2017 10:55 am
Forum: Scripting
Topic: Handle script error mikrotik
Replies: 4
Views: 907

Re: Handle script error mikrotik

Try
:execute script="/import file-name=\"wifi.rsc\"" file="importresult"
by BlackVS
Fri Oct 27, 2017 5:21 pm
Forum: Scripting
Topic: script to calculate next date [SOLVED]
Replies: 12
Views: 3240

Re: script to calculate next date [SOLVED]

################################################################### func_shiftDate - add days to date # Input: date, days # date - "jan/1/2017" # days - number # correct only for years >1918 ################################################################### uncomment for testing #:local date "jan/...
by BlackVS
Fri Oct 27, 2017 4:10 pm
Forum: Scripting
Topic: script to calculate next date [SOLVED]
Replies: 12
Views: 3240

Re: script to calculate next date [SOLVED]

ROS scripting has ridiculous support for dates. You can't add/substract them. You need split you date on days, months, years and then do date arithmetic taking into consideration days in the months and leap years. From one hand it is no difficult task for programmers, but admins usually not programm...
by BlackVS
Thu Oct 26, 2017 4:16 pm
Forum: Scripting
Topic: Script for Date and Time
Replies: 12
Views: 22925

Re: Script for Date and Time

ROS scripting has ridiculous support for dates. You can't add/substract them. You need split you date on days, months, years and then do date arithmetic taking into consideration days in the months and leap years. From one hand it is no difficult task for programmers, but admins usually not programm...
by BlackVS
Thu Oct 26, 2017 1:18 pm
Forum: Scripting
Topic: File Size Limit - 4096 [SOLVED]
Replies: 4
Views: 1335

Re: File Size Limit - 4096 [SOLVED]

It is limit not to file - it is limit for variable size... If you write text variable to file - you can write maximum 4096 bytes. Problem that ROS haven't normal file input/output (i.e. you can't just append to file or read line by line). But!!! %))) You can output to file output of script - in such...
by BlackVS
Thu Oct 26, 2017 8:08 am
Forum: Scripting
Topic: CAPsMAN scripting not return values
Replies: 1
Views: 340

Re: CAPsMAN scripting not return values

It is due to no actually configuration.ssid field. WinBox does some work to show it. You must to do too: 1. Get current config name (in my case for cap3): :put [/caps-man interface get cap3 configuration] In my case found configuration is "cfg5_5260" 2. When check ssid field in the found configurati...
by BlackVS
Thu Oct 26, 2017 7:52 am
Forum: Scripting
Topic: Handle script error mikrotik
Replies: 4
Views: 907

Re: Handle script error mikrotik

1. :foreach id in [/interface wireless find] do={ :put [/interface wireless get $id name] } 2. :foreach id in [/interface wireless find] do={ :put [/interface wireless get $id ssid] } 3. Absence of normal error processing in ROS script is general problem %) (due to try/catch/return codes usually ign...
by BlackVS
Wed Oct 25, 2017 10:40 am
Forum: The Dude
Topic: How to pass parameters to a function
Replies: 8
Views: 2447

Re: How to pass parameters to a function

Starting from 6.2 ROS supports passing arguments to custom functions:
https://wiki.mikrotik.com/wiki/Manual:S ... #Functions

Also global variables can be used to pass parameters.
by BlackVS
Wed Oct 25, 2017 10:31 am
Forum: General
Topic: Connecting 2 RB750GR3 over wan
Replies: 7
Views: 865

Re: Connecting 2 RB750GR3 over wan

Have you visited link I gave you in my previous message? EoIP/GRE/IPIP Usually used for inter-office connections. Usually are unencrypted. But can be combined with ipsec (i.e. ipsec over EoIP/GRE/IPIP) EoIP - like bridge (L2) over tcp/ip. GRE/IPIP - both L3 tunnels.It is not critical that to choose ...
by BlackVS
Tue Oct 24, 2017 5:18 pm
Forum: General
Topic: Connecting 2 RB750GR3 over wan
Replies: 7
Views: 865

Re: Connecting 2 RB750GR3 over wan

You asking for "best" - best means necessity to have some conditions/requirements.
Because the best in one environment can be the worst in other environment.
All possible tunnels - for example

https://rickfreyconsulting.com/mikrotik-vpns/
by BlackVS
Tue Oct 10, 2017 2:15 pm
Forum: General
Topic: IPsec Performance
Replies: 16
Views: 9380

Re: IPsec Performance

So why is there such a massive perfomance loss when the hEX does the ipsec encryption, the eoip tunnel and the routing by it self ?
I saw the same effect when tested Gr3 in 2016.
I thought it was due to device just appeared and wasn't yet optimized.
Sad that nothing changed from that time :(
by BlackVS
Thu Sep 07, 2017 7:54 am
Forum: Scripting
Topic: Name var " dynamic "
Replies: 4
Views: 866

Re: Name var " dynamic "

:global prb1 123
:global prb2 1234
:global prb3 12345
:local a1 1;
:local a2 2;
:local a3 3;
:global t

:execute script=":global t \$prb$a1"
:put $t

:execute script=":global t \$prb$a2"
:put $t

:execute script=":global t \$prb$a3"
:put $t
by BlackVS
Wed Aug 30, 2017 10:52 am
Forum: Scripting
Topic: Backup system, v1.4
Replies: 0
Views: 577

Backup system, v1.4

Hi All, here is my backup system for Mikrotik's routers which I successfully use last half-year (see attach). It consists of set of external functions/scripts. To install system you need unpack and import script (see attach): /import file=backuping-system-v1.4.rsc and set parameters in backups_confi...
by BlackVS
Fri Apr 28, 2017 6:50 pm
Forum: Beginner Basics
Topic: Mikrotik and VPN
Replies: 2
Views: 506

Re: Mikrotik and VPN

If I remember right LHG5 has Level 3 license.
Features of each license can be seen here:
https://wiki.mikrotik.com/wiki/Manual:L ... nse_Levels
I.e. it should support vpn connections.
by BlackVS
Wed Apr 26, 2017 6:55 pm
Forum: Scripting
Topic: Problem with FTP upload via script
Replies: 6
Views: 2024

Re: Problem with FTP upload via script

My script is little bit more complicate %) : I split creating backups, sending them and clearing in three different scripts. Backups created each week and their filenames put in to the queue. Router try send them via FTP each 15 minutes (if I remember right). Once per week old backups deleted and on...
by BlackVS
Wed Apr 26, 2017 7:11 am
Forum: General
Topic: Router become unreacheable after adding VLAN on bridge
Replies: 9
Views: 1784

Re: Router become unreacheable after adding VLAN on bridge

As wrote idleman you created loop. Due to ether1-lan act here as trunk i.e. it catches all packets including vlan tagged. After they are untagged and sent to the vlans (due to vlan in bridge), then they via vlan go to bridge and again to the trunk and go-go-go-go... again %) until die %) You can eas...
by BlackVS
Tue Apr 25, 2017 8:18 pm
Forum: General
Topic: Router become unreacheable after adding VLAN on bridge
Replies: 9
Views: 1784

Re: Router become unreacheable after adding VLAN on bridge

Put here full config (except sensitive information of course). As variant you have default drop all input rule in firewall (but allow rules for vlan interface). Inserting vlan interface into the bridge will cause ignoring specific interface rules in such case (due to interfaces become slave, in new ...
by BlackVS
Tue Apr 25, 2017 8:03 pm
Forum: Scripting
Topic: Problem with FTP upload via script
Replies: 6
Views: 2024

Re: Problem with FTP upload via script

Does it work if run ftp upload command from terminal? I have backups scripts run on CCRs and RBs and they all work ok. Except situation then NAS is in standby mode - in this case my script fails in first retry (stops with timeout error) but succeed on second/third (then NAS woke up). Also check ftp ...
by BlackVS
Tue Apr 25, 2017 7:32 pm
Forum: General
Topic: Router become unreacheable after adding VLAN on bridge
Replies: 9
Views: 1784

Re: Router become unreacheable after adding VLAN on bridge

Possibly you assigned IP to interfaces in bridge and trying access router using them?
Correct way - to assign ip to bridge not to interfaces in bridge.
by BlackVS
Wed Feb 22, 2017 6:03 pm
Forum: General
Topic: IPSec tunnel in one direction it is very slow
Replies: 6
Views: 1344

Re: IPSec tunnel in one direction it is very slow

Its a well-known problem with mikrotik ipsec tunnels. Agree. But it exists in CCR. Not 1100ah or HAP AC. Mikrotik ipsec tunnels are not compatible with Windows. Again can be true if consider CCR. But can be fixed by switching to the software implemented encryptions, for example AES-CTR, Camelia. Qu...
by BlackVS
Mon Feb 13, 2017 5:01 pm
Forum: Scripting
Topic: How To Get Keys of this Array ?
Replies: 4
Views: 2013

Re: How To Get Keys of this Array ?

So simple things are still so crazy in RouterOS. 1. First approach is like here - http://www.paperstreetonline.com/category/tech/networking/mikrotik/ 2. In the case if known index of element to be removed I prefer use such more simple way (removing element with index $index from array): :put ([:pick...
by BlackVS
Mon Feb 13, 2017 6:56 am
Forum: General
Topic: Connection Mark Issues
Replies: 4
Views: 1296

Re: Connection Mark Issues

Useless screenshots due to we can't see full rules (marks, pastthrough etc).
Use export to file instead, for example:
/ip firewall export file=fr.rsc
Copy fr.rcs to computer, delete sensitive information if is and paste here rest.
by BlackVS
Fri Feb 10, 2017 11:35 am
Forum: General
Topic: Best VPN
Replies: 23
Views: 12507

Re: Best VPN

Hello, my problem is, only one Site have a offical Public IP. the oder Site have a 3G LTE Uplink. i need to conect forom any place bihind Firewalls. now i use pptp, but the speed is verry slow. SSTP, or L2TP better? PPTP is faster comparing l2tp/sstp/openvpn. I.e. questions are: - which router you ...
by BlackVS
Sun Dec 18, 2016 7:34 am
Forum: General
Topic: CCR Single Stream TCP through Tunnel very slow (355KB/s)
Replies: 4
Views: 1247

Re: CCR Single Stream TCP through Tunnel very slow (355KB/s)

1. Due to single TCP stream my question is what is the ping delay between sites?
2. Search forum on "CCR reordering packets problem" and change from hardware coded encryption (CBC) to the software one (for example CTR or Camelia) :) (there are no more solutions known to fix this at this moment)
by BlackVS
Fri Dec 16, 2016 12:06 pm
Forum: General
Topic: Recomendation
Replies: 3
Views: 330

Re: Recomendation

by BlackVS
Fri Dec 16, 2016 7:22 am
Forum: RouterBOARD hardware
Topic: Another CCR bites the dust
Replies: 13
Views: 2477

Re: Another CCR bites the dust

One CCR1036 died due to failed PSU after few years of working. PSU had blown up capacitors. We changed capacitors but work was still unstable. Due to order new original PSU for Mikrotik in Ukraine is a little quest we decided to replace PSU to the external one like it done on CCR-1009-PC (CCR with p...
by BlackVS
Fri Dec 09, 2016 10:31 am
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2523

Re: Script to check new hardware connected (IP - MAC)

Hi BlackVS, as always thanks you for your patience. I changed to e-mail but not luck, I don't receive any emails. I checked logs but there aren't any entry respect that, only I see that: 07:11:13 wireless,info 08:D4:XX:XX:XX:XX@wlan1: connected 07:11:17 wireless,info 08:D4:XX:XX:XX:XX@wlan1: discon...
by BlackVS
Wed Dec 07, 2016 2:23 pm
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2523

Re: Script to check new hardware connected (IP - MAC)

Do you see in the log messages from script? I speacially put "/log info" commands for easy debug.
And you have error - must be "e-mail" not "email" %)
by BlackVS
Wed Dec 07, 2016 7:24 am
Forum: Beginner Basics
Topic: Sniffing incoming and outgoing traffic on hAP ac
Replies: 4
Views: 703

Re: Sniffing incoming and outgoing traffic on hAP ac

Hello, I want to buy an 'hAP ac' router in order to capture (aka sniff) packets from the incoming (before NAT) as well as the outgoing (after NAT) traffic simultaneously using the packet sniffer tool, Is it possible? how can I do so? https://s17.postimg.org/iwsvr66j3/2016_12_07.png But you should h...
by BlackVS
Wed Dec 07, 2016 7:17 am
Forum: General
Topic: prerouting and postrouting
Replies: 2
Views: 796

Re: prerouting and postrouting

One packet can have only one mark.
by BlackVS
Tue Dec 06, 2016 6:21 pm
Forum: Scripting
Topic: such item (4)
Replies: 12
Views: 3823

Re: such item (4)

/ip firewall address-list
:foreach i in=[find list=redirect] do={
  :do {
      remove $i;
  } on-error={ :put "xxx"};
 }
 
Image
by BlackVS
Tue Dec 06, 2016 6:15 pm
Forum: General
Topic: FTP not working
Replies: 21
Views: 2261

Re: FTP not working

Some notice: add action=drop chain=forward comment=torrent connection-limit=1,32 log-prefix=all_torrent p2p=all-p2p http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter Matches connections per address or address block up to and including given value. Should be used together with connection-state=...
by BlackVS
Tue Dec 06, 2016 6:05 pm
Forum: General
Topic: FTP not working
Replies: 21
Views: 2261

Re: FTP not working

3. I see my files, ftp://my_external_ip, or i must setup ftp server in local and redirect port, to check this?
I mean to setup ftp server in one of three local lans (192.168.10.x, 192.168.11.x,192.168.88.x) to check if it is either router problem or provider.
by BlackVS
Tue Dec 06, 2016 1:00 pm
Forum: Scripting
Topic: such item (4)
Replies: 12
Views: 3823

Re: such item (4)

Error occurs in cases if command tries to remove an item that does not exist any more (dynamic entries that already was removed, other script or user manually is modifying address list at the same time when command is executed) Is there any solution? Use foreach loop which enumerate results of [fin...
by BlackVS
Mon Dec 05, 2016 9:11 pm
Forum: General
Topic: FTP not working
Replies: 21
Views: 2261

Re: FTP not working

on firmware 6.35 was the same problem. The ISP says that he's fine and nothing is closed. Check through the other ISP can't. any external ftp servers do not work. on my other mikrotik this is not a problem(similar configuration). 1. Other mikrotik is tested via same ISP? 2. Put here export of your ...
by BlackVS
Mon Dec 05, 2016 8:55 pm
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2523

Re: Script to check new hardware connected (IP - MAC)

Image
I.e:
1. You forgot ":" before "if".
Variant 2 (I was wrong - example from Wiki works %):
Image
by BlackVS
Mon Dec 05, 2016 8:27 pm
Forum: RouterBOARD hardware
Topic: Is RB3011UiAS-RM suitable for VPN?
Replies: 7
Views: 4874

Re: Is RB3011UiAS-RM suitable for VPN?

From my expirience: Q1. IPSEC+AES-256 = 80 => No. I tested RB951 (the same perfomance as RB2011) - 20M is maximum for AES-256. But it was RouterOS 5.x Q2. No. Check http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encryption Possibly RB3011 will allow pass ~80M ipsec AES-256 but I'm not sure 1...
by BlackVS
Fri Dec 02, 2016 8:22 pm
Forum: Scripting
Topic: script-python
Replies: 1
Views: 702

Re: script-python

I wanna native Python support in RouterOS too...
Lets dream together %()
by BlackVS
Fri Dec 02, 2016 6:34 pm
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2523

Re: Script to check new hardware connected (IP - MAC)

http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server lease-script Script that will be executed after lease is assigned or de-assigned. Internal "global" variables that can be used in the script: leaseBound - set to "1" if bound, otherwise set to "0" leaseServerName - dhcp server name leaseActMAC - ac...
by BlackVS
Sun Nov 27, 2016 2:33 pm
Forum: Beginner Basics
Topic: CCR 1036 routing performance between local 10. and 192. subnet
Replies: 4
Views: 664

Re: CCR 1036 routing performance between local 10. and 192. subnet

Subnet 192.x.x.x and Subnet 10.x.x.x connected via one Switch to a CCR 1036. VLANs or just L2 switch? The switch is connected with 2 ethernet connections to port 5 and port 6 from my CCR 1036. Why do you use 2 Ethernet connections from one switch? It is in any case wrong (except some special cases)...
by BlackVS
Fri Nov 25, 2016 12:28 pm
Forum: General
Topic: Failover with two redundant link
Replies: 3
Views: 991

Re: Failover with two redundant link

I have RB450G, and internet connection from my upstream provider via FIBER wire with one public IP on Port-1. As a backup they have provided me with second fiber which I have inserted in rb450g port 2. Right now I have added same ip on both interface and keep one interface disable. When primary fib...
by BlackVS
Thu Nov 24, 2016 7:37 am
Forum: Scripting
Topic: How to verify result of fetch upload to FTP server?
Replies: 4
Views: 2373

Re: How to verify result of fetch upload to FTP server?

One more way - run fetch in separate script (using :execute") and catch the output of script. Fetch if success prints "status: finished". Or prints error mesage which can be parsed. :local logftp "ftp.log" :local cmd "/tool fetch mode=ftp upload=yes user=\"$ftpuser\" password=\"$ftppassword\" src-pa...
by BlackVS
Wed Nov 23, 2016 11:13 am
Forum: Scripting
Topic: How to verify result of fetch upload to FTP server?
Replies: 4
Views: 2373

Re: How to verify result of fetch upload to FTP server?

Hi all, 1) Is it possible to get some sane result back from the fetch command? Isn't it supposed to abort the fetch operation and return something useful as a function result? I found only one way for the same situation - to put fetch command into the :do { } on-error={} block... Example from my co...
by BlackVS
Wed Nov 23, 2016 10:45 am
Forum: Scripting
Topic: DHCP new lease
Replies: 3
Views: 967

Re: DHCP new lease

Hi, What would be the script code for send email every new lease offered by DHCP ? I want to receive one email with the IP address and MAC Address of every single lease. thanks http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server lease-script (string; Default : ) Script that will be executed after l...
by BlackVS
Wed Nov 23, 2016 10:31 am
Forum: Scripting
Topic: if else not working in script but run in terminal
Replies: 5
Views: 2066

Re: if else not working in script but run in terminal

Hm... possibly I need some beer %))) Due to it is not clear for me what to do %) For example if we success in 1 find a metric 3 it automatically means that always true is 3 if metric3 = true and always false is 4 if metric3 = false ? Or you meant that if p.1 success do p.3 and if p.1 not success do ...
by BlackVS
Wed Nov 23, 2016 10:12 am
Forum: Scripting
Topic: How can I export dynamic address list entries?
Replies: 5
Views: 5107

Re: How can I export dynamic address list entries?

One more variation for previous one:
/execute script="foreach k,v in [/ip address find dynamic=yes] do={:put [/ip address get \$v address];}" file=dynaddresses.txt
Possibly can export longer 4096 bytes due to not uses string buffer but not sure - need to be checked
by BlackVS
Wed Nov 23, 2016 10:03 am
Forum: Scripting
Topic: How can I export dynamic address list entries?
Replies: 5
Views: 5107

Re: How can I export dynamic address list entries?

Bump. Anyone? --jeroen Or something like this: :local text foreach k,v in [/ip address find dynamic=yes] do={ :set text "$text\$[/ip address get $v address]" } /execute script=":put \"$text\"" file=dynaddresses.txt PS: but in such case file can't be longer 4096 bytes - it is limit for strings in Ro...
by BlackVS
Wed Nov 23, 2016 7:40 am
Forum: Scripting
Topic: error using on-error
Replies: 1
Views: 1392

Re: error using on-error

Hi. I try to delete pppoe connections do not having a simple queue. I use this code: ... /ppp active remove $Iface ... remove requires the number or id of object to be deleted if I remember right. I.e. try run this /ppp active remove $Id but each time the error is "expected end of command" Wrong us...
by BlackVS
Tue Nov 22, 2016 8:04 pm
Forum: Scripting
Topic: if else not working in script but run in terminal
Replies: 5
Views: 2066

Re: if else not working in script but run in terminal

if ([/ip route get [find distance=3] distance] =3 ) is always true if route with distance 3 exists. Due to you check distance of route with distance 3 and compare to 3. If no such route than "get" returns error "no such item" (due to "find" returns empty array, not nil, not false but always array) ...
by BlackVS
Sat Nov 19, 2016 7:47 am
Forum: Beginner Basics
Topic: New RB750Gr3 - cant get working
Replies: 5
Views: 1596

Re: New RB750Gr3 - cant get working

but no ethernet port leds turn on when they are connected. Possibly in current config ethernet LEDs disabled (it is possible. Strange but possible). First check ethernet cable. Second - when connect to notebook interface on notebook is up? 100M or 1G. If not when it seems to be broken device. Or......
by BlackVS
Fri Nov 18, 2016 12:25 pm
Forum: Beginner Basics
Topic: Mikrotik RB260GS
Replies: 1
Views: 391

Re: Mikrotik RB260GS

RB260GS is not RouterOS switch. It has own SwitchOS i.e. you will not be able to install Dude to it (you haven't such options here - http://www.mikrotik.com/download ). I have one such at home and just looked at - it hasn't any Dude mentioning in the interface. I.e. it is usual switch with some non-...
by BlackVS
Fri Nov 18, 2016 12:11 pm
Forum: Forwarding Protocols
Topic: Simple Load Balancing, two routes with equal cost
Replies: 3
Views: 1705

Re: Simple Load Balancing, two routes with equal cost

If two routes have equal cost will OSFP automatically load balance across them? Hmmm... Routes with equal costs (ECMP routes) may appear as result of OSPF. But may be created manually. In any case OSPF doesn't do any balancing itself - it just "creates" and chooses routes between source and destina...
by BlackVS
Wed Nov 16, 2016 6:03 pm
Forum: General
Topic: Licensing Questions
Replies: 2
Views: 452

Re: Licensing Questions

Most answers are here: http://wiki.mikrotik.com/index.php?title=Manual:License All Licenses: never expire include 15-30 day free support over e-mail can use unlimited number of interfaces are for one installation each offer unlimited software upgrades If you buy router from Mikrotik it already inclu...
by BlackVS
Fri Nov 11, 2016 10:03 am
Forum: Scripting
Topic: Automated blocking of IP addresses
Replies: 12
Views: 17729

Re: Automated blocking of IP addresses

Hi !! I,m IT Expert ... but finally i find out that not possible !! Very fun... Generally I agree with you - everything can be hacked. Question only in resources spent (time, money, equipment etc) But if 0. Use non-standard ports. 1. Use VPN for access. To hack proper vpn much more harder then hack...
by BlackVS
Fri Nov 11, 2016 10:01 am
Forum: Scripting
Topic: Automated blocking of IP addresses
Replies: 12
Views: 17729

Re: Automated blocking of IP addresses

... turbulence in forum...
see next post %)
by BlackVS
Tue Nov 08, 2016 7:25 am
Forum: Announcements
Topic: v6.37.1 [current] is released!
Replies: 144
Views: 37781

Re: v6.37.1 [current] is released!

One more strange thing happened on one router (CCR1016) with 6.37.1. It has two WANs with loadbalancing/backup and few days ago one channel down. I thought that it is provider related problem (due to I couldn't ping gate, physical link was ok) and even started to contact with him but looked at log a...
by BlackVS
Mon Nov 07, 2016 11:35 am
Forum: General
Topic: Test for MTCWE
Replies: 4
Views: 2983

Re: Test for MTCWE

Hello, you won't get them. This is closed source kept and maintained by Mikrotik guys. greets Hmmm... really? The quick search on Scribd by MTCWE keyword gives positive result %) - https://www.scribd.com/doc/303019209/4-524370706037735455 The same is for MTCRE, MTCNA. But be careful - many MTCRE, M...
by BlackVS
Thu Nov 03, 2016 6:49 pm
Forum: General
Topic: Route traffic for another subnet to ipsec tunnel
Replies: 2
Views: 606

Re: Route traffic for another subnet to ipsec tunnel

I see 2 variants: A) separate policy for each pair of source and destination networks as wrote above. I had this long time ago and stopped to use when a number of remote offices exceded three and a number of networks exceed ten %) B) use IPSEC over another tunnel. For example GRE+IPSEC. In such case...
by BlackVS
Thu Nov 03, 2016 6:23 pm
Forum: General
Topic: Lots of dropped 10.132.88.1:67 packets from WAN port
Replies: 1
Views: 403

Re: Lots of dropped 10.132.88.1:67 packets from WAN port

10.132.88.1 is DHCP server.
If it is not provider's DHCP server contact provider and give him this info.
Also check if you have DHCP client run on ether1....
by BlackVS
Thu Nov 03, 2016 2:36 pm
Forum: Announcements
Topic: MikroTik News November 2016 (Issue #73)
Replies: 27
Views: 10806

Re: MikroTik News November 2016 (Issue #73)

What measures should be taken to avoid packet reordering?
[irony]do not do hardware IPsec on CCR, huh?.. :lol:[/irony]
Image
by BlackVS
Mon Oct 31, 2016 6:45 am
Forum: Announcements
Topic: v6.37.1 [current] is released!
Replies: 144
Views: 37781

Re: v6.37.1 [current] is released!

With 6.37.1 it's this. add action=accept chain=forward comment="allow established connections" connection-state="" add action=accept chain=forward comment="allow related connections" connection-state="" add action=drop chain=forward comment="drop invalid connections" connection-state="" Thanks, now...
by BlackVS
Sun Oct 30, 2016 7:32 pm
Forum: Announcements
Topic: v6.37.1 [current] is released!
Replies: 144
Views: 37781

Re: v6.37.1 [current] is released!

Had working config on RB951G, v.6.34 After upgrade to 6.37.1 found issue with wrong masquerade behavior: I have PPTP server on one side (CCR) and PPTP client (RB951G) on other side. Behind CCR we have a lot of work networks. Behind RB951 we have home network. Due to I don't want add routes on CCR fo...
by BlackVS
Fri Oct 28, 2016 8:16 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 - Report and questions
Replies: 112
Views: 32540

Re: RB750Gr3 - Report and questions

Redo the test without fragmentation and you will see different result. Sure. But... hm... in such case we will get results not from real world due to I have complex network and real clients send usual ethernet MTU packets. Of course fragmentation take place and in the case of non-fragmentation we w...
by BlackVS
Fri Oct 28, 2016 8:28 am
Forum: RouterBOARD hardware
Topic: RB750Gr3 - Report and questions
Replies: 112
Views: 32540

Re: RB750Gr3 - Report and questions

BlackVS, test, please, LT2P/IPsec with AES-256. About your stranges with CPU, I think this is global firmware bug, I found it at all firmwares after 6.34.4: http://forum.mikrotik.com/viewtopic.php?t=110714. Support say, that all is ok, buy more powerful router. As we see, most very powerful routers...
by BlackVS
Wed Oct 26, 2016 9:55 am
Forum: RouterBOARD hardware
Topic: RB750Gr3 - Report and questions
Replies: 112
Views: 32540

Re: RB750Gr3 - Report and questions

Some more tests with RB750Gr3 are here: https://www.mikrotik-club.in.ua/2016/10/26/rb750gr3-pptp-openvpn-perfomance-tests/#more-80 In Russian %) but results readable for English speaking guys. If shortly: I tested this device as client VPN router not ipsec. For case of remote office. Now RB951G is u...
by BlackVS
Tue Sep 27, 2016 10:28 am
Forum: General
Topic: IPSec Tunnel Creation
Replies: 8
Views: 40582

Re: IPSec Tunnel Creation

https://en.wikipedia.org/wiki/IPsec

ESP operates directly on top of IP, using IP protocol number 50

Image
by BlackVS
Tue Sep 20, 2016 10:01 am
Forum: Beginner Basics
Topic: Proper way to passthrough IPTV
Replies: 21
Views: 13347

Re: Proper way to passthrough IPTV

Try http://wiki.mikrotik.com/wiki/Manual:Routing/IGMP-Proxy + add firewall rule to allow IGMP traffic for upstream (in my example for ether1-wan ): /ip firewall add chain=input comment="Allow IGMP" in-interface=ether1-wan1 protocol=igmp PS: igmp not present by default. You should add it installing a...
by BlackVS
Thu Sep 15, 2016 7:26 pm
Forum: General
Topic: PPTP server and OVPN server work separately but not if both enabled
Replies: 13
Views: 1453

Re: PPTP server and OVPN server work separately but not if both enabled

Established, Related and FastTrack need to be moved to the top. They aren't helping you right now. What do you mean? ..Don't work as expected?... Reason for these rules is avoid processing extra rules for established/related connections. And there is no sense if these rules at the end - router will...
by BlackVS
Thu Sep 15, 2016 7:22 pm
Forum: General
Topic: PPTP server and OVPN server work separately but not if both enabled
Replies: 13
Views: 1453

Re: PPTP server and OVPN server work separately but not if both enabled

Hm, I have PPTP, OVPN servers enabled and they work fine together...
by BlackVS
Tue Sep 13, 2016 10:43 am
Forum: Forwarding Protocols
Topic: scope and target-scope
Replies: 1
Views: 2840

Re: scope and target-scope

by BlackVS
Fri Sep 09, 2016 8:05 pm
Forum: Scripting
Topic: Find last pysical ethernet port
Replies: 1
Views: 567

Re: Find last pysical ethernet port

Run in console:
:put [:len [/interface find default-name~"ether"]]
Here is supposed that default names of ethernet ports numbered sequantually from 1
To get real name (not default) of last port find interface with default-name equal to etherN, where N got in previous command.
by BlackVS
Tue Aug 30, 2016 10:30 am
Forum: General
Topic: Attempt to hack my CCR1036-8G-2S+
Replies: 3
Views: 789

Re: Attempt to hack my CCR1036-8G-2S+

Capture and analyze few packets (to check protocol). I know of cases some inner clients used BitTorrent with open port 1723. But better to block access to the 1723 TCP port for all and enable it only for some. PS: or use port-knocking method. Like http://mum.mikrotik.com/presentations/US10/discher.pdf
by BlackVS
Mon Aug 29, 2016 5:07 pm
Forum: General
Topic: FastTrack with Mangle Rules
Replies: 3
Views: 2265

Re: FastTrack with Mangle Rules

What means parent=global here ? http://wiki.mikrotik.com/wiki/Manual:Queue parent (Name of , or none) : assigns this queue as a child queue for selected target. Target queue can be HTB queue or any other previously created queue global - you can see in this diagram - http://mikrotik-trainings.com/d...
by BlackVS
Mon Aug 29, 2016 3:42 pm
Forum: General
Topic: Forward all traffic from one interface to another
Replies: 6
Views: 1816

Re: Forward all traffic from one interface to another

Will I need to forward all traffic from Eth2 to Eth5
Absolutly all traffic? In such case you needn't router ^)
Or only traffic related to the concrete global IP? Then dst-nat...
by BlackVS
Fri Aug 19, 2016 7:51 pm
Forum: General
Topic: IPSec strange issues with CCR1016
Replies: 12
Views: 1442

Re: IPSec strange issues with CCR1016

One more notice - internal btest tools is not very accurate. I did direct VPN connection between two CCR (CCR1016 and CCR1036). One without any rules, other have some rules (it is used in office). In my test Btest shows (I run tests 5-10 times and chose the highest one): Direct BT test (ether-ether)...
by BlackVS
Thu Aug 18, 2016 11:35 am
Forum: General
Topic: IPSec strange issues with CCR1016
Replies: 12
Views: 1442

Re: IPSec strange issues with CCR1016

Relating to the speed - try change from AES-CBC to AES-CTR or Camelia.
I suspect you will be surprised very much...
by BlackVS
Wed Aug 17, 2016 2:37 pm
Forum: General
Topic: Slow IPSec tunnel and windows machines
Replies: 11
Views: 2037

Re: Slow IPSec tunnel and windows machines

But fact is that AES-256-CBC much slower for transferring in one pipe (copying via Samba for example) comparing AES-256ctr or Camelia-256. I've tested on 6.36 , CCR-1016 <-> CCR-1016 - CBC gives maximum 4-5 Mbit, CTR - about 30-35 Mbit, Camelia - 35-40Mbit for 100Mbit inter office connection. 100M c...
by BlackVS
Wed Aug 17, 2016 12:48 pm
Forum: General
Topic: Slow IPSec tunnel and windows machines
Replies: 11
Views: 2037

Re: Slow IPSec tunnel and windows machines

AES-256-cbc uses hardware "acceleration". I put in quotes because it seems to be coded in one thread. Change from AES-256-cbc to AES-256-ctr or Camelia-256 and try.
PS: and better use GRE or IP-IP instead l2tp in this case...
by BlackVS
Sun Aug 14, 2016 7:41 pm
Forum: General
Topic: Need help in GRE tunnel MTU
Replies: 2
Views: 565

Re: Need help in GRE tunnel MTU

Did you set IPSEC encryption of GRE tunnel?
If yes than 1422 is normal MTU for channel. I usually set 1420 for GRE+IPSEC channels.
by BlackVS
Sun Aug 14, 2016 9:31 am
Forum: General
Topic: IPSec strange issues with CCR1016
Replies: 12
Views: 1442

Re: IPSec strange issues with CCR1016

Peer settings http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Peer_configuration Peer configuration settings are used to establish connections between IKE daemons ( phase 1 configuration ). This connection then will be used to negotiate keys and algorithms for SAs. Proposal http://wiki.mikrotik.com/w...
by BlackVS
Sun Aug 14, 2016 9:18 am
Forum: General
Topic: FastTrack with Mangle Rules
Replies: 3
Views: 2265

Re: FastTrack with Mangle Rules

http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack

Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment
by BlackVS
Wed Aug 10, 2016 7:00 am
Forum: Scripting
Topic: wait internet came back and send e-mail
Replies: 2
Views: 673

Re: wait internet came back and send e-mail

Dear friends If ping 200.223.0.84 response, send e-mail, case not, wait 5 minutes and try again until ping response. Does some one have any idea how to develop it? Sorry for bad english You may split backup generation and sending email: Script 1. After backup generetation assign name of created bac...
by BlackVS
Tue Aug 09, 2016 11:28 am
Forum: Beginner Basics
Topic: RB951 wont come on
Replies: 2
Views: 538

Re: RB951 wont come on

Hello, during a lightning storm the lights were dimming/flashing and now the RB951 wont come on. I'm going to assume there isn't much I can do, but does anyone have an ideas ? I tried plugging directly in to wall and everything. No LEDs are on? In such case first check power supply as written above...
by BlackVS
Mon Aug 08, 2016 3:35 pm
Forum: Scripting
Topic: Problems with my first script
Replies: 3
Views: 639

Re: Problems with my first script

Running from terminal gives:
"bad command name email (line 8 column 15)"
i.e. you missed "-" in "e-mail"
by BlackVS
Mon Aug 08, 2016 2:55 pm
Forum: General
Topic: IPSec AES-256-GCM
Replies: 10
Views: 2347

Re: IPSec AES-256-GCM

I can't now, but later from a computer
Sent from my XT1575 using Tapatalk
Just gentle reminder %), thanks in advance.
by BlackVS
Sun Aug 07, 2016 7:38 pm
Forum: Beginner Basics
Topic: how to change firewall rules using script?
Replies: 9
Views: 1466

Re: how to change firewall rules using script?

thanks for the reply mate, but I've configured my router with firewall action tarpit enabled, I'd like to know how to test it. could you please tell me? I'm sorry that I'm such a noob for this. Sorry, may be I didn't catch... What to test? If tarpit rules run? Just check bytes/packets for this rule...
by BlackVS
Sun Aug 07, 2016 7:04 pm
Forum: General
Topic: Strange slow internet connections
Replies: 20
Views: 1549

Re: Strange slow internet connections

1. What was the reason to create bridge with one interface on Hex1/Hex2 ? Except specially to make higher load of CPU of course %) Disable both them. 2. Why to not plug Pi3 directly in Hex1 or CRS125? Try both variants and check speedtest results. If they are the same then problem not in Hex1/Hex2. ...
by BlackVS
Sun Aug 07, 2016 9:41 am
Forum: General
Topic: [SOLVED] Strange problem, can't ping gateway.
Replies: 11
Views: 2347

Re: Strange problem, can't ping gateway.

You need to put ether1 and ether5 into the bridge, then assign the IP address to the bridge, not the port.
ether1 and ether6 you mean I think (both master ports).
Because ether5 is already a slave of ether1...
by BlackVS
Sun Aug 07, 2016 7:44 am
Forum: General
Topic: [SOLVED] Strange problem, can't ping gateway.
Replies: 11
Views: 2347

Re: Strange problem, can't ping gateway.

I can ping any other IP within the /25 except .1 which is the router at my ISP. May be your provider uses MAC locking. In such case you have to call provider and ask unblock new MAC (some providers allow this to do online. Sometime they charge additional costs for this ^). Or change ether1 RB2011 M...
by BlackVS
Sat Aug 06, 2016 9:44 pm
Forum: General
Topic: IPSec AES-256-GCM
Replies: 10
Views: 2347

Re: IPSec AES-256-GCM

Who said anything about NAT?
You need to turn on the ipsec debug logging to see what the phase2 errors are
Debug log with errors are in 1st message of this topic already.
PS: I can put full log here but errors shown only in this lines
by BlackVS
Sat Aug 06, 2016 8:47 pm
Forum: General
Topic: IPSec AES-256-GCM
Replies: 10
Views: 2347

Re: IPSec AES-256-GCM

Enable ipsec debug logging to see what is wrong with the phase 2
Sure. But what exactly is question. And how NAT is related to this.... Both sides use global white IPs.
by BlackVS
Sat Aug 06, 2016 8:43 pm
Forum: General
Topic: IPSec AES-256-GCM
Replies: 10
Views: 2347

Re: IPSec AES-256-GCM

GCM works well, but but is not hardware accelerated. only the AES-CBC cyphers are accelerated. Enable ipsec debug logging to see what is wrong with the phase 2 Problem with CBC that it seems to be coded in one thread. I tested encrypted VPNs betweens CCRs, 100M channels and ping 40ms between them -...
by BlackVS
Sat Aug 06, 2016 8:37 pm
Forum: General
Topic: IPSec AES-256-GCM
Replies: 10
Views: 2347

Re: IPSec AES-256-GCM

Thank you! For comparing mine current config is: /interface gre add allow-fast-path=no !keepalive local-address=A.A.A.A mtu=1420 name=gre-tunnel remote-address=B.B.B.B /ip ipsec proposal add auth-algorithms=null enc-algorithms=aes-256-gcm lifetime=33m20s name=PROPOSAL-Gcm pfs-group=none /ip ipsec pe...
by BlackVS
Sat Aug 06, 2016 8:24 pm
Forum: General
Topic: IPSec AES-256-GCM
Replies: 10
Views: 2347

Re: IPSec AES-256-GCM

Can you pasteyour IPSEC setup here, I will be very appreciated %) ?
Because I suspect problem is in some other IPSEC parameters which I set wrong...
by BlackVS
Sat Aug 06, 2016 7:58 pm
Forum: General
Topic: IPSec AES-256-GCM
Replies: 10
Views: 2347

IPSec AES-256-GCM

Have anybody setup IPSEC using GCM encryption on Mikrotiks (in my case - to encode GRE tunnels)? I succesfully setup AES-CBC, AES-CTR but failed with AES-GCM - I am getting the "failed to pre-process ph2 packet" error on both sides and stuck whre to look further... PS: from debug log I see only this...
by BlackVS
Sat Aug 06, 2016 7:24 pm
Forum: General
Topic: Best VPN for RouterOS
Replies: 7
Views: 2634

Re: Best VPN for RouterOS

I'm using it mainly to unblock tv show from restricted region. Nope I don't own the vpn but there is many vpn that work with router. Which is model of your router? For example I tested RB951G with same aim - and only PPTP among secured VPNs allowed to forward IPTV SD/HD through VPN without lags, ht...
by BlackVS
Fri Aug 05, 2016 7:30 am
Forum: Beginner Basics
Topic: how to change firewall rules using script?
Replies: 9
Views: 1466

Re: how to change firewall rules using script?

You may use address lists technique for automatic blacklisting bruteforcers: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention http://linux-sys-adm.com/how-to-configure-farewall-on-mikrotik/ But if your router under massive attack and it is not CCR - just blocking ports without using address...
by BlackVS
Thu Aug 04, 2016 9:00 pm
Forum: General
Topic: how to make the unit reboot in script?
Replies: 3
Views: 1742

Re: how to make the unit reboot in script?

If I remember right it won't ask anything if run in script.
I've just tested - created simple script with one line "/system reboot;" and run it from Scripts List -> Scripts window - router rebooted.
I.e. "Y/n" is asked only when running from terminal...
by BlackVS
Wed Aug 03, 2016 11:31 am
Forum: General
Topic: Load balancing dual uplinks (dual LAN)
Replies: 7
Views: 1331

Re: Load balancing dual uplinks (dual LAN)

10.1.1.1 and 20.1.1.1 - they use separate Ethernet interfaces and you have L2 link between them? If yes - try bond them directly. Or you can use tricks with EoIP tunnels like here: http://wiki.mikrotik.com/wiki/Manual:Bonding_Examples or VLANs like here - http://forum.mikrotik.com/viewtopic.php?t=70...
by BlackVS
Mon Aug 01, 2016 9:23 pm
Forum: Forwarding Protocols
Topic: OSPF
Replies: 3
Views: 810

Re: OSPF

From "Instances:":  in a production environment, routers such as the RB1100, RB3011, and the CRS line would be better choices CRS ?!! Or CCR? %) Other question/note - often people creates loopbacks for OSPF router-ids. But it is Cisco implementation for automatic choosing of router-id (i.e.  if no r...
by BlackVS
Fri Jul 22, 2016 7:46 am
Forum: General
Topic: Load Balancing / dual WAN
Replies: 6
Views: 1903

Re: Load Balancing / dual WAN

did I ask difficult? First answer is - it is only you decision what to choose - bandwidth or PCC balancing %) From my point of view it is not good than one PC will go to internet occasionally via different channels at the same time - some protocols (like SIP) generate few connections at the same ti...
by BlackVS
Fri Jul 22, 2016 7:22 am
Forum: Beginner Basics
Topic: Cloud Core vs Routerboard?
Replies: 11
Views: 4230

Re: Cloud Core vs Routerboard?

Most answers are below (see Perfomance test results) http://routerboard.com/RB3011UiAS-RM http://routerboard.com/CCR1009-8G-1S-PC (lower CCR model) For home RB3011 is quite enough in 99% cases. From point of stability - I had RB2011, I have RB951 and CCR1009 at home - all they works stable. 24/7, in...
by BlackVS
Mon Jul 18, 2016 9:03 pm
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 40
Views: 43832

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

1. Do you use last RouterOS version on all routers? If not - try use Camelia-128 instead AES-128. Reason - AES uses hardware acceleration. Camelia - software.  Sounds like joke but for a long time hardware acceleration was slower than software one in CCRs. In last versions it seems to be fixed (I us...
by BlackVS
Thu Jun 30, 2016 6:47 pm
Forum: General
Topic: Multicast routing from Lan to Wan
Replies: 3
Views: 1463

Re: Multicast routing from Lan to Wan

234.x.x.x -  Unicast-Prefix-based IPv4 Multicast Addresses i.e has special application (https://tools.ietf.org/html/rfc6034). Use 239.x.x.x Also check firewall - possibly multicast or IGMP blocked by firewall rules.  Also I see that you set source ip for IGMP Proxy Group 234.5.6.7 equal 192.168.0.1....
by BlackVS
Thu Jun 30, 2016 4:39 pm
Forum: Beginner Basics
Topic: two wan public ip
Replies: 3
Views: 662

Re: two wan public ip

With one correction - due to both WAN on the same provider I suspect both WANs have the same subnet/gateway? If yes you must specify also interfaces in default routes. Something like this: /ip route add dst=0.0.0.0/0 gateway=gatewayip%ether1 /ip route add dst=0.0.0.0/0 gateway=gatewayip%ether6 routi...
by BlackVS
Wed Jun 29, 2016 7:07 pm
Forum: Beginner Basics
Topic: 2 wans with same gateway (not failover)
Replies: 16
Views: 2232

Re: 2 wans with same gateway (not failover)

Just playing with similar to your network - see work config below. I started from default config. Here is I show two possible ways - route rules (variant 1) and mangle mark route (variant 2). Here they are equal. But variant 2 is more flexible. In the case if you wish publish same services via both ...
by BlackVS
Wed Jun 29, 2016 10:23 am
Forum: Beginner Basics
Topic: 2 wans with same gateway (not failover)
Replies: 16
Views: 2232

Re: 2 wans with same gateway (not failover)

WAN1&WAN2 (PPPoE statis IP's) links come from same ISP (same gateway). Published servers on 10.10.254.0/24 subnet. Also i need to access internet from 10.10.254.0/24 Othe subnets are working very well with WAN1 link To clarify - published servers should be accessible from Internet via WAN2 and go t...
by BlackVS
Wed Jun 29, 2016 10:06 am
Forum: Beginner Basics
Topic: Upgraded my Internet but still get the same speed through Mikrotik 2011
Replies: 9
Views: 1410

Re: Upgraded my Internet but still get the same speed through Mikrotik 2011

Do decrease CPU load join ether2-..ether5 in one switch, ether6-ether10 in the second switch and - if want - bridge these two switches.  I.e. ether3..ether5 use master port set in ether2, ether7-ether19 - in ether6. And than bridge only ether2 and ether6 if needed. Difference between bridge and swit...
by BlackVS
Mon Jun 27, 2016 3:24 pm
Forum: Beginner Basics
Topic: 2 wans with same gateway (not failover)
Replies: 16
Views: 2232

Re: 2 wans with same gateway (not failover)

Ok. I propose to start from every beginning %) becuase I suspect that we talk about different little bit things.
Please paint diagram - you network and that you want exactly to get. With subnets, gates, etc.
by BlackVS
Mon Jun 27, 2016 1:38 pm
Forum: Beginner Basics
Topic: 2 wans with same gateway (not failover)
Replies: 16
Views: 2232

Re: 2 wans with same gateway (not failover)

add action=mark-routing chain=prerouting connection-mark=to_tis115 dst-address=x.x.x.207 in-interface=published-7 new-routing-mark=TIS15 passthrough=no add action=mark-routing chain=prerouting dst-address=x.x.x.207 new-routing-mark=TIS15 passthrough=no src-address=10.10.254.0/24 add action=mark-rou...
by BlackVS
Mon Jun 27, 2016 10:33 am
Forum: Beginner Basics
Topic: Interface ether2 not on interface list
Replies: 4
Views: 584

Re: Interface ether2 not on interface list

It seems to be you renamed it.
To check default names run next command in Terminal:
/interface ethernet print detail
and find interface with default name ether2.
by BlackVS
Fri Jun 24, 2016 1:34 pm
Forum: Beginner Basics
Topic: 2 wans with same gateway (not failover)
Replies: 16
Views: 2232

Re: 2 wans with same gateway (not failover)

 i have 1 wan for internet from my lan (working) and 2 wan for published services (different subnet). If shortly: 1. Set default gateway to the first provider in the main routing table (i.e. no routing mark set in route). 2. Create the other routing table with different name (for example, routing m...
by BlackVS
Fri Jun 24, 2016 1:07 pm
Forum: Beginner Basics
Topic: Multiple Networks - how to do the separation?
Replies: 5
Views: 1725

Re: Multiple Networks - how to do the separation?

10.0.3.0/24 - voip 10.0.3.0/24 - restricted The same ip networks - is it mistake? Firewall rules can't be used with bridge (with some exceptions). I.e. "bridge" simulates usual L2 switch. Like you just take cables from each network and plug into the same switch. Simple but no security. Router - is ...