I'm looking at the packet flow diagram here: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow For the life of me, I can't find anything in there that describes where in that flow packet capture happens. I'm trying to debug a VoIP issue and when capturing on an internal and then an external interfac...

I have a CCR with two WAN links, and a LAN link with a few VLANs on it. Everything on the LAN/VLANs is being NAT'd ("masqueraded"). I have an extra /28 routed to one of the WAN links and want to give unfettered access to a piece of that subnet to someone plugged-in to one of the extra LAN ports. In ...

Winbox do not fetch DLLS for quite some time now. Do not use old winbox.

Don't tell me, tell the guy that wrote the blog post. He did see it happen in his tcpdump though, I don't think he wrote that more than 3-4 months ago.

If you're curious how the bug works, this article is a good read: https://n0p.me/winbox-bug-dissection/ The vulnerability would have been less of a problem if Mik used industry-standard password-hashing methods - since the vulnerability was allowing a remote attacker to download any file, and there'...

Maybe I'm misunderstanding your request, but this type of check exists already using recursive routing. Many years later, this post of mine still comes up when I search for easy ways to do failover when the gateway is always "up". I never answered this follow-up, but I will now. This is to make set...

Not quite sure how to describe this - assume a Mikrotik router with the stock config/rules. Everything going out ether1 is NAT'd (masqueraded) and the inbound firewall rules are unchanged. Router has a single static IP on ether1 in a /30. An additional /30 is routed to the external interface upstrea...

So yesterday I was given an opportunity to test this. Our provider to one of our PoPs dropped our 1Gb/s metro-e link after a manhole fire. In the building, we were able to find someone with a GPON service that's setup for 500/500. We only have an L3 switch there, and the switch cannot do anywhere ne...

Which model can get me 500Mb/s or more at about 40K PPS over a GRE tunnel? Any of them? I assume CCRs are out because GRE can't use multiple cores, right?

No encryption, No VPN, just a GRE tunnel.

I'm resurrecting my old thread as the "create server binding for a user" does not seem to work. Each time the VPN connection drops, I have to ssh in to the box from somewhere allowed and then manually re-point the static route to the OpenVPN interface. I do have the user for this incoming client bou...

We run an AWS instance and all of our routers tunnel back to this for management access and monitoring. I've been getting more and more random nagios alerts that latency to some sites (via vpn) is spiking. Results generally look like this: 35 packets transmitted, 35 packets received, 0.0% packet los...

Totally unrelated cause - my firewall rule to allow OSPF (the protocol) had an improper source address. Why it kind of worked and timed out, not sure - probably some kind of weird one-way communication plus state timeout or something. Working fine now... Thanks for the "loopback" tip, had no idea ho...

Kind of sad that out of the box Mikrotik still has defaults that allow them to be abused. Someone there must be incredibly stubborn to keep that checkbox checked as a default. :) The defaults ALSO have a firewall filter to block all of this. It doesn't matter if the service is enabled if no packets...

Kind of sad that out of the box Mikrotik still has defaults that allow them to be abused. Someone there must be incredibly stubborn to keep that checkbox checked as a default. :) As someone who both has had to fix up customer Mikrotik boxes and has had to deal with 20+Gb/s DDoS attacks (surely many ...

Is there anything in the logs? enable it with debug (system >logging) then monitor what happens previously to that drop and paste it here... a complete /routing ospf export will be useful too. The full export is there. Nothing of note in the logs, other than what looks like a reassociation just aro...

I'm stumped on this one. I have a bunch of metro-e circuits between a Cisco ASR-1002-X and some cheap old Cisco switches. I run OSPF (v2) between this gear over the metro-e fabric and all is well. In attempting the same with the Mikrotik running the latest firmware (6.33.3) I have no problem with es...

Thank you both so much, that really clarifies things for me. If this works, it will be my go-to QoS setup, as it's really simple to explain, and I don't really see putting the phones in their own dhcp scope as a real big pain compared to a more complex QoS config. I'm having a hard time validating t...

You don't have a parent queue so priority will not do anything. OK, so if I add a parent queue, I'm not going to classify based on IP, so I need a target interface. On the RB750 would that be the bridge interface or one of the physical switch ports? If my parent queue is say, 1800kb/s, what do my t...

I need something that both myself and a support tech can understand. A very common config we run into is a bridged DSL connection (no PPPoE) where the customer needs an actual router that we can maintain as a dmarc. We've been buying lots of RB750s for the slower connections and are mostly happy wit...

My bridge interface is configured with the firewall option off: > interface bridge settings print use-ip-firewall: no use-ip-firewall-for-vlan: no use-ip-firewall-for-pppoe: no allow-fast-path: yes Yet I see blocked traffic destined to my (tap mode) openvpn client that's in the same bridge-local bri...

I can't quite figure out how to deal with this. I need to point a route back to the far end of an OpenVPN client. I originally just manually added a route and selected the gateway from the dropdown. However I saw today that rancid sent me a config diff from one of my mikrotik routers that showed the...

I'm new to Mikrotik, and I was happy to see so many ways to load-balance and failover traffic when there are multiple upstream connections. However it seems like performing a real check beyond "is the upstream router powered up" involves delving into scripting, which is a real pain, especially if yo...

I have found issues with what I call dynamic load balancing techniques as explained above. Like pcc etc. Things like making sure some connections always use the same wan add a layer of complexity. My method is simply deviding the client ip address,s into blocks and sending them out to different wan...

I was reviewing the various load-balancing options for multiple links (ECMP, PCC, nth), and they all seem reasonable. What I'm wondering is with each line being 15/2, whether the matter of which method is most efficient comes into play. Hardware is the RB2011. Also I'd really like to shoot for the m...

I should probably point out the radio has no subs on it yet, it's idle.

I also really don't follow the "force on" vs. "auto" - in my case "force on" is the only thing that works. "auto" seems to just randomly cut power to the radio...

Is there a way to calculate a rough average? I mean, it's swinging from almost a full amp, which seems a bit crazy, all the way back to 0...

Hello, I have my first routerboard product, an RB750UP. I'm not doing anything terribly complicated, it's basically acting as an ethernet/PoE repeater on a long run. We have about 200 feet of cable from the PoE injector to the RB (port 1), and then another 250 to a Ubiquiti Rocket M5 (off of port 2)...