MikroTik

Here is a good reference for dual sim scripts: https://wiki.mikrotik.com/wiki/Dual_SIM_Application

I've not tried that yet, but can see I'd need to install Wine for WinBox to run on my Mac or borrow a PC with it. If I do either of these, can you explain how I would physically go about discovering devices in the network? I.e. would I need to plug the dish's CAT6 cable into the laptop again and th...

Are you able to use WinBox and discover devices in the network? Maybe you can still connect by using MAC address instead of IP address.

Under /caps-man datapath

There are some examples in the official docs: https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs

It’s not the MikroTik router the one sending the DNS update, but the windows machine instead.

(It’s a Microsoft thing AFAIK)

I would love to see a PoE+ version of the CRS310-8G+2S+IN =)

Hi, please share the output of a “/export hide-sensitive” (if ROS 6.x) ot “/export” (if ROS 7.x) command so we can have a better understanding of what could be happening.

My guess: missing/wrong firewall rules and dns open to public or proxy enabled and open to public.

I made a backup script using shell script in a Linux machine. So Mikrotik devices act as SSH servers and a Linux machine as the SSH client. CCR1072, CCR1009, RB4011, and hEX S. My case is similar to yours (using a RSA priv/pub key pair) and works perfectly after upgrade, at least on RB4011 and hEX ...

Another way (simplier to me) is to allow dnatted traffic in the forward chain by accepting connection-nat-state=dstnat

Upgraded many RB760iGS, cAP-ac, RB4011, and CHR and everything looks good.

@davidalain do you mean using ROS as SSH client to connect to other devices?

Hi @asdgmae2, the solution would depend on how your network architecture is (other routers, switches, etc). Generally speaking, it could be tackled by enabling dhcp-snooping, trusted ports and denying arp-learning on switch ports what are untrusted. Additionally, in your case, in RouterOS set the `a...

What chain are these rules?

Should be “prerouting”

Thanks for giving me the opportunity to contribute @Normis!

I can help with this responsibility as well. IDK if a minimal amount of post is required for such task =)

I understand and have always known this, however, it has always worked normally. I use this RB4011 like this for more than 3 years, even with v7.8 everything was normal. I had used the passive DACs from MikroTik on my RB4011iGS+ without any issue on 6.x. Didn’t use any of those with 7.x, however, I...

Not so smooth on my RB4011iGS+ with ZeroTier package installed before upgrading: - Upgraded ROS from 7.8 to 7.9 [OK] - Upgraded RouterBoot from 7.8 to 7.9 [OK] - Reboot after "system,info,critical Firmware upgraded successfully, please reboot for changes to take effect!" message [Locked du...

For the record I did try to power 3 APS (2 nano HD, 1 WALL HD) and 2 camera + Controlleur + PI via POE adapter (home assistant) and it was working well, the budget power is very low for them. Now the main issue is the number of ports... Also would be better to have more sfp+ ports. That’s interesti...

The RB5009UPr+S+IN won’t provide enough voltage (PoE+) for the Access-Points and the rest of the UniFi products.

Maybe having a spare CRS328 identically-configured but still having to reconnect everything in case the PSU is gone (additionally, the CRS328 PSU is not hot-swappable)

Hi, it would depend on which VPN type you want to setup, but Draytek worked fine for me on some clients: https://www.draytek.com/products/smart-vpn-client/

Ok I will try that. But I also need to undertand. The route of the Magic Packet is something like this?: Magic Packet from WAN --> Modem/router --> Modem/router sends it to all connected devices because it's a broadcast packet --> So it reaches Mikrotik also --> Mikrotik's NAT translate the address...

There is a trick to make WoL work trough NAT. You have to add a static arp entry under IP > ARP (/ip arp) for the host you want to wake-up. /ip firewall nat add action=dst-nat chain=dstnat comment="DNAT: WOL Host XXXX" dst-port=<wan-port> protocol=udp to-addresses=<lan-host-ipaddr> to-port...

CRS309 + CRS326 (-PC) here. Both fanless and you have 10Gb SFP+ interfaces… you can do LACP also.

You need to add the route in /ppp secrets under routes parameter, for the route to the client network to be installed upon connection.

The route format is: "dst-address gateway metric" (for example, "10.1.0.0/24 10.0.0.1 1"). Several routes may be specified separated with commas

You are right @sindy. I didn’t verify the OP link. The issue is related only to windows. Both MikroTik, Linux and macOS (and iOS) don’t have this issue. Would this dirty trick affect connections from OS’s other than Windows 7/10? on the other hand I agree that if it’s causing SSH issues is because a...

I’ve found the following solution for the L2TP/IPSec server behind NAT:
http://woshub.com/l2tp-ipsec-vpn-server-behind/

Re: Is there a problem with IP Cloud? [SOLVED] Same here with 6.47.10 long-term

Same here with 6.47.10 long-term

remove [find where !dynamic]

The following rule at filter table is not allowing your hairpinned-nat traffic:

add action=accept chain=forward connection-nat-state=dstnat in-interface=ether1

You may need to unset the in-interface parameter.

EDIT: mkx had the same observation :D (too fast :)

Hi, this other topic may be helpful: viewtopic.php?t=131363

For most simple setups You must use separate ports for HTTPS Web UI and SSTP Server (I.e. 443 and 8443). SSTP client is not affected. I think you can do some NAT to redirect traffic coming to 443 port and redirect to internal ports if you want to expose same tcp ports in different addresses (I.e. wa...

Mine was R2. I already RMA-ed the device due to lack of response from official MikroTik support (SUP-23837). The new one (also R2) has modem firmware MikroTik_CP_2.160.000_v012 and works fine. I won't upgrade to MikroTik_CP_2.160.000_v017 until I get some kind of response from official support. Also...

IPv6 does not implement broadcast addressing. Broadcast's traditional role is subsumed by multicast addressing to the all-nodes link-local multicast group. You may need to check the following link to know which all-nodes well known addresses you need to filter: https://www.iana.org/assignments/ipv6-...

Probably you may need to NAT the traffic going through VPN if you don’t have the appropriate static routes on each side or dynamic routing properly set.

Contact to Mikrotik support.

Regards.

Sure, I'm getting all the required information to send them a full report.

Forget my previous post... after one day, LTE interface is gone after reboot.

Latest stable (6.47.1) with modem firmware MikroTik_CP_2.160.000_v017 work well after reboots.

Has anybody found a solution for this problem? Having same issue. use latest ROS and latest modem firmware and you will be good. Give us logs if you have a problem. Latest long-term with latest modem firmware has the same issue. No LTE interface after reboot. Everything gets back to normal after po...

Can you share an export of firewall settings (both filter and nat rules)? Maybe you are dst-nating dns queries from the wan side at nat rules, and allowing dstnated packets on the filter rules.

Is your wan interface added to the WAN interface-list?

I totally agree with this request! Can’t wait to get more certifications.

Online MUM would be awesome too!

You can try using the CloudFlare DNS for Families to block both malware and adult sites. More info here: https://developers.cloudflare.com/1.1.1 ... -families/

You may also want to enforce DNS by redirecting all DNS queries to your router or specific destination.

I usually prefer SSTP Tunnel to a public VPN concentrator (i.e. CHR on AWS) so you can access the entire network through a VPN.

Of course , there are many other options to achieve similar results.

I agree with @sindy. Many other factors could contribute to the observed issue.

Please tell us more about your deployment (WiFi AP or other details). And don’t forget:

 /export hide-sensitive

Make sure you are not blocking IPSec traffic (protocols or ports) in the forward table coming from your LAN side. Also, check your DNS cache to see if the devices are resolving 3gpp FQDN pointing to the telco core network for VoWiFi (you can also setup QoS for that traffic): /ip dns cache print wher...

/interface bonding
add mode=802.3ad name=bond01 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3

to: ingdaka. thx for your answer
If I understand well I start New terminal from menu and after that I write instruction: "export". Is it the correct way?

Just run the following command and download the file from the Files section:

/export file=backup-export.rsc

hEX is a router! I do not need to make a switch from the router! I need gigabit switch (as Gigabit Ethernet Repeater "GPeR" but on 5 ports) - without PoE - without USB - without microSD - without CPU MT7621A (enough QCA8511) Its price should be much less! What is the point of buying an hE...

Is the hEX too expensive to work as a switch? I don’t know what your topology looks like but it could help you to implement OSPF and avoid bridging. Anyways, it can work as a switch too.

You can use %0A to send url-encoded line breaks.

Did you try with the following command?

  /system routerboard settings set boot-os=swos

AFAIK UniFi controller doesn’t have management VLAN settings. They all expect to be untagged, so you can set PVID on all access ports and use trunk ports for UniFi AP and controller.

Is this setting really necessary?.

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes

I think no. Try disabling both and check the speed

I forgot to mention that you could also use the following command to get more stats on both ends (master and slave-side):

/interface w60g print stats interval=1

Network tab is there to set DHCP some of the values sent by DHCP server inside DHCP offer/ack packets.

To set a static IP address, you need to go to DHCP Server > Leases tab.

Also, the network address has the wrong mask in your screenshot.

You can monitor the error rate and MCS on the client-side (station) of the link by running the following command: /interface w60g monitor 0 connected: yes frequency: 58320 remote-address: 30:07:4D:XX:XX:XX tx-mcs: 8 tx-phy-rate: 2.3Gbps signal: 95 rssi: -50 tx-sector: 36 tx-sector-info: center dista...

Hi, did you see this one?

https://mikrotik.com/product/CRS326-24G-2SplusRM

Completely silent, external power supply (very little one) and PoE-In support. Also bigger than the ones you found (is that an issue?).

Hi, I have a similar setup but it works great. Maybe you can post the output of the following command between [ CODE ] [ /CODE ] tags.

 /export hide-sensitive

Maybe you can add a tarpit rule before the drop rule to make them busier and see the results.

Tarpit TCP, Drop UDP.

So can the trouble description be formulated more precisely as "Tapatalk (regardless whether free or pro) on iPhone does not work specifically with forum.mikrotik.com, while it does work just fine with at least one other forum"?

Precisely.

Same here. It doesn’t work on iPhone (since at least 2 years)

I think you can block the hotspot users to access those sites by adding them to the hotspot filtering rules: https://wiki.mikrotik.com/wiki/Manual:I ... led_Garden

Or you can add the same mangle and filter rules four output chain, so the proxied traffic will also match.

Why not to use Winbox with MAC address?

Because the OP asks about Linux command to connect using mac-telnet. Obviously he can run WinBox in a VirtualBox guest.

You can try this tool on Linux/Mac: https://github.com/haakonnessjoen/MAC-Telnet

Most answers for that kind of setup is NO, because most network-connected speakers and media players (Sonos, Apple TV, HomePod, etc.) require the devices to be in the same broadcast domain (same subnet), and won’t work in a routed environment except for one case: using a mDNS/Bonjour proxy. You can ...

You have to move the tls-host and layer-7 rules before accepting related/established connections.

Could you post the output of the following command so we can figure out what is not working on your setup?

/ip firewall export

Maybe a better approach is to mark those BitTorrent packets and put them in a queue with less priority (bigger number) so you can prioritize other traffic before BitTorrent. It’s easier and does not rely on a script to be run every minute.

Not at all... let's say you have an address-list named "acl-limited" with specific addresses (or set dynamically via dhcp-server leases), and your LAN address is 1.2.3.0/24: /ip firewall address-list add list=acl-limited address=1.2.3.4 add list=acl-limited address=1.2.3.5 add list=acl-lim...

You can add the mangle Rules to match src/dst-address-list and mark those packets.

Then, use the same mark at the simple queues or queue tree.

---EDITED---
Try to put the srcnat rule before other srcnat/masquerade rules and do a traceroute to see what happens.

Well, that's because you are using a certificate created by yourself, not by a trusted entity. That's not a router issue. Maybe you can deal with the new issue by adding the CA certificate to your windows host. Also the common-name or the alt-name should match the hostname you are using to connect t...

[admin@MikroTik] > /ip service export hide-sensitive # sep/05/2019 16:26:29 by RouterOS 6.45.1 # software id = SEYH-HLMS # # model = RouterBOARD 941-2nD # serial number = 8AFE08FFCDCE [admin@MikroTik] > Ok, so you will need to desable the www-ssl service or change its port: To disable it: /ip servi...

@Sob, I think the answer is in this other topic created by the author of this thread: viewtopic.php?f=13&t=151821

[admin@MikroTik] > /interface sstp-server server export hide-sensitive # sep/05/2019 14:58:00 by RouterOS 6.45.1 # software id = SEYH-HLMS # # model = RouterBOARD 941-2nD # serial number = 8AFE08FFCDCE /interface sstp-server server set authentication=mschap2 certificate=server enabled=yes [admin@Mi...

[admin@MikroTik] > /ip services export hide-sensitive
bad command name services (line 1 column 5

I'm sorry, the command is:

/ip service export hide-sensitive

Start by moving this rule: add action=accept chain=input comment="Permit SSTP" dst-port=443 protocol=tcp before this other rule: add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN That's why the router is dropping the connections fr...

You only need yo allow traffic to port 443 (or the port you set on /interface sstp-server server) in the input chain. Do not add a nat rule for the port. Second, make sure you have disabled the www-ssl service on "/ip service" (or change the port at /ip service) so the port does not confli...

VLANS are presented as interfaces by themselves, so you need to use the vlan interface name on the queues.

Again, the queues will not balance the traffic, just will limit it.

On simple queues, you can use the “dst” parameter to set the upstream interface (vlan in this case).

Good to hear you resolved the issue.

For future reference, the traffic between 2 IP addresses belonging to the same bridge and same subnet does NOT go through the firewall as it is a Layer-3 firewall (unless you have enabled the use-ip-firewall option under /interface bridge settings).

You can't change the name but, if you have your own domain, you can point a CNAME record in your domain's DNS to point to 529c0491d41c.sn.mynetname.net . ;; ANSWER SECTION: router.yourdomain.com. 179 IN CNAME 529c0491d41c.sn.mynetname.net. 529c0491d41c.sn.mynetname.net. 13 IN A 1.2.3.4

To do that, you will need to do load-balancing + failover (search for PCC or ECMP). https://wiki.mikrotik.com/wiki/Load_Balancing https://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade https://wiki.mikrotik.com/wiki/Manual:PCC Queues won't help with traffic distribution, but will put a l...

Correct, and the same applies to CAP interfaces.

Indeed, you will find useful to configure the specific settings as the work like "profiles" you can override under interface tab. I usually create all the settings separately (channels, datapaths, security, rates, and all together into configuration), then I set the interfaces. If I want t...

Ok, can you provide the output of the following commands?

/export hide-sensitive
/ip arp print
/ip address print
/ip route print

Just obfuscate the public IP addresses only.

You can start by removing the ether10 port from bridge, or assign the IP address to the bridge.

Hi, can you post an export so we can help you? Looks like wrong settings for ARP under bridge or interface.

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error). [admin@xxxx] > /system backup save Saving system configuration Configuration backup saved 08:54:42 echo: backup,critical error creating backup...

Upgraded a RB851G (both RouterOS and RouterBOOT) from 6.42.12 today. I get errors every time I try to save a backup file (both local and cloud, same error). [admin@xxxx] > /system backup save Saving system configuration Configuration backup saved 08:54:42 echo: backup,critical error creating backup ...

@martinclaro It takes about 15 minutes for it to start working again once you upgrade @tricksol, as I said before, my routers and CHR were updated before this issue happened. I also rebooted some of my routers and nothing happened. As many other forum members said, it looks like connectivity or res...

Upgrading will make it work again + give some new features. Name will stay and nothing else will change. @normis I've been upgrading both RouterOS and Firmware to the latest current-channel version on all my devices and today the service is not working. Is there any process to follow to enable the ...

Also you can update those rules by using whois in a linux/unix/mac box running the following commands: echo "/ip firewall filter" ; whois -h whois.radb.net -- '-i origin AS32934' | grep '^route:' | sort -n | uniq | awk '{print "add action=drop chain=forward comment=Facebook dst-addres...

Search found 90 matches