Community discussions

MikroTik App

Search found 381 matches

  • 1
  • 2
by RackKing
Sun Jul 19, 2020 8:48 am
Forum: General
Topic: Allow limited user rights to make binary backup?
Replies: 4
Views: 1297

Re: Allow limited user rights to make binary backup?

@k6ccc - thank you sir.
by RackKing
Sun Jul 19, 2020 8:20 am
Forum: General
Topic: Allow limited user rights to make binary backup?
Replies: 4
Views: 1297

Re: Allow limited user rights to make binary backup?

If all you want to do is create a binary backup, but leave it on the router, you don't need to allow that for your limited user group. Create a script to create the file and then a schedule that runs the script at whatever interval that you want. You can also have your script send the file somewher...
by RackKing
Sun Jul 19, 2020 5:19 am
Forum: General
Topic: Allow limited user rights to make binary backup?
Replies: 4
Views: 1297

Allow limited user rights to make binary backup?

Hi, I have created a user group with limited rights. What Policies would allow them to to save a backup? To be clear, not to export a script .rsc. I backup pulls the passwords, so even if they dumped it onto the same model they would not have access, right? Even if the backup was functional on the n...
by RackKing
Tue Jul 14, 2020 11:53 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Re: Move custom.json file to skins folder?

I am tying the following, but it is not working: /tool> fetch address=192.168.88.1 src-path=/files/custom.json dst-path=/files/skins/custom.json Sorry I am a fetch newbie. Can anyone help with the correct syntax? Amend paths, etc as per your requirements /tool fetch address=192.168.88.1 mode=ftp sr...
by RackKing
Tue Jul 14, 2020 5:50 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Re: Move custom.json file to skins folder?

I am tying the following, but it is not working:

/tool> fetch address=192.168.88.1 src-path=/files/custom.json dst-path=/files/skins/custom.json

Sorry I am a fetch newbie. Can anyone help with the correct syntax?
by RackKing
Tue Jul 14, 2020 5:36 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Re: Move custom.json file to skins folder?

Moving into folders can only be done in two ways. Winbox (can be used in Linux too, with Wine), or using Fetch to directly download the file into the correct folder. Actually a third way is to download using Fetch from one folder to other folder, locally. SCP and or FileZilla? Thank you for this. I...
by RackKing
Tue Jul 14, 2020 5:35 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Re: Move custom.json file to skins folder?

Moving into folders can only be done in two ways. Winbox (can be used in Linux too, with Wine), or using Fetch to directly download the file into the correct folder. Actually a third way is to download using Fetch from one folder to other folder, locally. Thank you for these three ideas.... it seem...
by RackKing
Tue Jul 14, 2020 4:04 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Re: Move custom.json file to skins folder?

Try Winbox instead, Webfig lacks several other functions too
Thank you kindly for your reply.

I have a linux box on the other end so I cannot. I can explore wine.

So there is no command via terminal to do this?
by RackKing
Tue Jul 14, 2020 2:44 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Re: Move custom.json file to skins folder?

Anyone have feedback on this? Normis?
by RackKing
Mon Jul 13, 2020 9:41 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Re: Move custom.json file to skins folder?

Is this a poor question? Or not possible?
by RackKing
Mon Jul 13, 2020 5:36 pm
Forum: General
Topic: Move custom.json file to skins folder?
Replies: 12
Views: 2393

Move custom.json file to skins folder?

Hi, I am using webfig to manage this router. Hi, I have a custom.json file that I have uploaded to the router. How do I move this to the /skins folder? Drag and drop does not work in webfig or at least it does not for me. I am really trying to just move the folder from the root to /skins. Can someon...
by RackKing
Tue Jul 07, 2020 12:09 am
Forum: Scripting
Topic: DHCP server DNS update
Replies: 4
Views: 4282

Re: DHCP server DNS update

Thanks for this script.

Quick question - is there any advantage to running this from the script call aka
/system script run DhcpToDns
vs having the whole code in the server script area?

Things all good in 6.47?
by RackKing
Tue Jul 07, 2020 12:05 am
Forum: General
Topic: Setting up Avahi Reflector in Mikrotik [SOLVED]
Replies: 21
Views: 6485

Re: Setting up Avahi Reflector in Mikrotik [SOLVED]

Sorry I spaced post those filters rules.... I will try to get at it when I get home.

That is strange the new device cannot work.

What is the igmp all for?
by RackKing
Fri Jul 03, 2020 7:07 pm
Forum: General
Topic: Setting up Avahi Reflector in Mikrotik [SOLVED]
Replies: 21
Views: 6485

Re: Setting up Avahi Reflector in Mikrotik [SOLVED]

[/quote] Well, you might be right, so I would try this. You mean to allow traffic only to that device? But: It was the input chain rule which caused Chromecast devices to appear. So I added a rule to the input chain, not forward which allows access to the whole network from guest network. The reflec...
by RackKing
Fri Jul 03, 2020 4:57 pm
Forum: General
Topic: Setting up Avahi Reflector in Mikrotik [SOLVED]
Replies: 21
Views: 6485

Re: Setting up Avahi Reflector in Mikrotik [SOLVED]

So the progress is: Chromecast devices work fully on my main network. Guest network does not seem to work, even with mDNS reflection. On Guest network everything is blocked except WAN traffic. As soon as I enable the vlan_guest network to access everything, devices appear. I don't know what I need ...
by RackKing
Fri Jul 03, 2020 6:16 am
Forum: Scripting
Topic: RemoteWinBox [review]
Replies: 12
Views: 3232

Re: RemoteWinBox [review]

Jotne - thanks for doing this. Good to have options.
by RackKing
Thu Jul 02, 2020 7:32 pm
Forum: Scripting
Topic: Yet another DHCP to DNS script
Replies: 26
Views: 16743

Re: Yet another DHCP to DNS script

Anyone have an updated version of this? It is not working for me on 6.47. Thanks.
by RackKing
Wed Jul 01, 2020 7:06 pm
Forum: General
Topic: Pihole DNS hairpin NAT rule help [SOLVED]
Replies: 14
Views: 3499

Re: Pihole DNS hairpin NAT rule help [SOLVED]

For failover, I may try a simple netwatch script to enable / disable a nat rule that redirects DNS to the router. If the Pi implodes it simply gets sent to the router. Of course if the service stops on the Pi the IP stack might still respond, so it is not perfect. Instead of netwatch you can schedu...
by RackKing
Wed Jul 01, 2020 6:45 pm
Forum: General
Topic: Pihole DNS hairpin NAT rule help [SOLVED]
Replies: 14
Views: 3499

Re: Pihole DNS hairpin NAT rule help [SOLVED]

@xvo Thanks to you again - I have this up and running and it works perfectly. Well, I don't really know what kind of advice do you expect from me - using Pi-Hole is quite straightforward, even with some complications like for example cloudflared DoH resolver. As for failover, I guess the best way t...
by RackKing
Wed Jul 01, 2020 4:57 pm
Forum: General
Topic: Pihole DNS hairpin NAT rule help [SOLVED]
Replies: 14
Views: 3499

Re: Pihole DNS hairpin NAT rule help [SOLVED]

You can always post your NAT rules, maybe something is not right... @Zacharias Thanks for your reply. I only have 3 nat rules - the ones listed above and wan masq rule. To get the host name resolution in Pi-hole and make conditional forwarding work as it should putting the Pi-hole on it's own netwo...
by RackKing
Wed Jul 01, 2020 4:39 pm
Forum: General
Topic: Pihole DNS hairpin NAT rule help [SOLVED]
Replies: 14
Views: 3499

Re: Pihole DNS hairpin NAT rule help [SOLVED]

You are right: putting PiHole on it's own separate network will eliminate the need for hairpin nat at all. That's how I do it in my setup. @xvo Thanks to you again - I have this up and running and it works perfectly. On the "That's how I do it in my setup" virtuous comment, any other piec...
by RackKing
Wed Jul 01, 2020 2:42 am
Forum: General
Topic: Pihole DNS hairpin NAT rule help [SOLVED]
Replies: 14
Views: 3499

Re: Pihole DNS hairpin NAT rule help [SOLVED]

@xvo is right, The client was receiving an answer from your DNS server 192.168.1.20 while it was expecting an answer from 8.8.8.8... So you were getting a time out... Adding the Hair Pin NAT rules, the DNS request is dst-Nated to your DNS server and at the same time the source IP is source Nated wi...
by RackKing
Wed Jul 01, 2020 2:38 am
Forum: General
Topic: Pihole DNS hairpin NAT rule help [SOLVED]
Replies: 14
Views: 3499

Re: Pihole DNS hairpin NAT rule help [SOLVED]

You are right in your post's topic: the only thing that is missing are hairpin NAT rules for requests from your main lan, that were intercepted by your existing rules. add action=masquerade chain=srcnat src-address=192.168.1.0/24 dst-address-list=DNS_Servers dst-port=53 protocol=udp add action=masq...
by RackKing
Tue Jun 30, 2020 6:22 pm
Forum: General
Topic: Pihole DNS hairpin NAT rule help [SOLVED]
Replies: 14
Views: 3499

Pihole DNS hairpin NAT rule help [SOLVED]

I have a Pi-hole DNS server setup on my network. I have a guest network on an separate VLAN. The network has been up and running for some time, the Pi-hole is a new addition. FW address list LAN = 192.168.1.0/24 (local) 192.168.2.0/24 (guest) FW address list DNS_Server = 192.168.1.20 I am using 8.8....
by RackKing
Fri Jun 26, 2020 1:14 am
Forum: General
Topic: Switch connection/topography best practices?
Replies: 4
Views: 1101

Re: Switch connection/topography best practices?

Hi!

Star connection always best for bandwidth reason, but you can mix daisy with star and create additional fault tolerance with STP.
Thanks for the feedbacK!
by RackKing
Fri Jun 26, 2020 1:14 am
Forum: General
Topic: Switch connection/topography best practices?
Replies: 4
Views: 1101

Re: Switch connection/topography best practices?

The interconnection topology should respect the traffic topology at first place. If there is no significant traffic volume between two switches, then there is no need for a direct interconnection between them, so the star topology makes more sense, and even for the backup links it is better that th...
by RackKing
Thu Jun 25, 2020 4:40 pm
Forum: General
Topic: DNS Failover
Replies: 20
Views: 8258

Re: DNS Failover

@ferdytao

Checking in to see how this is working for you. I am about to set this up for myself. Can you share your setup?

Thanks.
by RackKing
Wed Jun 24, 2020 11:56 pm
Forum: General
Topic: Switch connection/topography best practices?
Replies: 4
Views: 1101

Switch connection/topography best practices?

Hi, I know this is a trivial question of sorts, but wanted some better feedback. Lets say I am working with a 4011 or CCR1009 copper router. I have a 3 managed switches, 2 in the main rack and one switch in a remote rack. For sake of discussion we can pretend they are 48 port switches. The devices a...
by RackKing
Sat Jun 13, 2020 2:27 pm
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Re: Protected configuration of new router?

Of course you can also write a complete program in Python or whatever that uses API or even telnet/ssh to command the router to do whatever you want. You would then have to run that program on the installer's computer and hope that he will not try to find out what it is doing exactly. It all depend...
by RackKing
Sat Jun 13, 2020 2:16 pm
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Re: Protected configuration of new router?

Of course what I mean is just a script file that does the internet settings (if at all required, i.e. internet is not "ether1 with DHCP"), then it does a fetch to get the real config and an import. You would write it in the RouterOS scripting language and send it as a .rsc file. Ah - I th...
by RackKing
Sat Jun 13, 2020 1:54 pm
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Re: Protected configuration of new router?

Thanks for this.... Then I would have to have a script installed to run the main configuration script.... I don't use fetch much, but it looks like anyone could use that link to pull the script. If anyone else has any ideas please let me know. It depends on whether you want to protect your work fro...
by RackKing
Sat Jun 13, 2020 6:23 am
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Re: Protected configuration of new router?

If the router is on your network TR069 is designed for remote management. Another option is getting the installer to use Quickset and configure a unique VPN user and basic internet connection. Once you have your configuration with remote access remove the initial VPN config. Configure a Mikrotik MA...
by RackKing
Sat Jun 13, 2020 2:56 am
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Re: Protected configuration of new router?

Anyone else?
by RackKing
Fri Jun 12, 2020 5:33 pm
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Re: Protected configuration of new router?

@RackKing, are you aware of the fact that any legitimate user with access to the router can issue the command "/export" in the CLI, or look in Webfig or in Winbox to see/get all the configuration? Do you want to allow only yourself to manage the device of the user? If yes, then just don't...
by RackKing
Fri Jun 12, 2020 4:34 pm
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Re: Protected configuration of new router?

scp the rsc script to the device, ssh to the device, and import the rsc, then delete the rsc... Instead of scp you can of course also use "/tool fetch ..." to download the rsc from your own server... Of course the ssh service (default port 22) of the device must first be reachable from In...
by RackKing
Fri Jun 12, 2020 4:26 pm
Forum: General
Topic: Setting up Avahi Reflector in Mikrotik [SOLVED]
Replies: 21
Views: 6485

Re: Setting up Avahi Reflector in Mikrotik [SOLVED]

I'm unfortunately stuck with this. mDNS reflection seems to be working fine, printers, AirPlay devices shows up correctly on every VLAN immediately and works as it should. Though Chromecast devices and Spotify Connect devices don't seem to be working flawlessly. So these devices may need additional...
by RackKing
Fri Jun 12, 2020 6:40 am
Forum: General
Topic: Protected configuration of new router?
Replies: 13
Views: 1938

Protected configuration of new router?

I have looked into this a bit and hit a wall of sorts. I would like to send a script to an installer (remote from me) that is preconfigured and ready to go. They could then "run after reset" and the router would be configured. I do not, however, want them to have access to the configuratio...
by RackKing
Wed Jun 10, 2020 5:11 pm
Forum: General
Topic: Granular access to winbox options? Webfig?
Replies: 5
Views: 842

Re: Granular access to winbox options? Webfig?

You can also edit the file in a text editor. Thank you for this - it looks a simple as reordering the entries. Seems to works well. Add specific tabs/entries look a bit different - I can see somethings (ro: true) makes sense, but some of the of other fields I have decided to show are not here. Am I...
by RackKing
Wed Jun 10, 2020 6:04 am
Forum: General
Topic: Granular access to winbox options? Webfig?
Replies: 5
Views: 842

Re: Granular access to winbox options? Webfig?

Are the order of the status page items set by the order in which you click them or there order in the menu? edit: Yes I can answer - it adds them to the status page in the order you add them. Hmmmm can you edit the order? Not really. Webfig is not a dumpster fire after all. I am a slow learner. Some...
by RackKing
Wed Jun 10, 2020 5:54 am
Forum: General
Topic: Granular access to winbox options? Webfig?
Replies: 5
Views: 842

Re: Granular access to winbox options? Webfig?

This is great - RTFM to me "If it is required to use created skin on other router you can copy files to skins folder on the other router. On new router it is required to add copied skin to user group to use it." I must have looked at his 1000000 times in the files area and simply ignored i...
by RackKing
Wed Jun 10, 2020 5:20 am
Forum: General
Topic: Granular access to winbox options? Webfig?
Replies: 5
Views: 842

Re: Granular access to winbox options? Webfig?

So.... I have played around with webfig and it surprisingly.... looks like it will do the job. If anyone can double check me I would appreciate it - 1. I turned on the web service and logged into the webfig page and selected design skin. I then created a "restricted" skin with the options ...
by RackKing
Wed Jun 10, 2020 4:08 am
Forum: General
Topic: Granular access to winbox options? Webfig?
Replies: 5
Views: 842

Granular access to winbox options? Webfig?

Hi, I have some an opportunity to work with an integrator group that wants me to configure the router, support them, upgrade, etc... MSP stuff, but they need access to certain things, specifically the ability to setup DHCP reservations. I do not want hem to be able to export my scripts or see detail...
by RackKing
Thu May 14, 2020 7:20 am
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 1453

Re: Static DNS best practice with dedicated server

Not sure if is proper way of handling DNS, but I left Cloudflare as DNS under DHCP-Server>Network and use NAT to redirect to my Pi-hole instance. My Pi-hole has the router set as it's DNS so that I could use Static DNS and the router had Cloudflare set for it's DNS. I have some that I don't want go...
by RackKing
Thu May 14, 2020 4:58 am
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 1453

Re: Static DNS best practice with dedicated server

LOL - 2 days ago Pihole V5 was released and ..... wait for it..... Local DNS records can now be added. Yay - it seems to be working. They have made a number of enhancements. You can read more about it here: if you are so inclined. https://pi-hole.net/2020/05/10/pi-hole-v5-0-is-here/#page-content I a...
by RackKing
Thu May 14, 2020 2:10 am
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 1453

Static DNS best practice with dedicated server

Hi, I have been playing around with PiHole on Raspberry Pi. It has been working pretty well as a network wide ad blocker and has certainly increased performance on mobile devices. I am specifying the DNS server in the DHCP server/network/dns servers setting. I have not found a good way to specify st...
by RackKing
Sun May 10, 2020 2:09 pm
Forum: Beginner Basics
Topic: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)
Replies: 13
Views: 5081

Re: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)

It's just a shame that a capable os doesn't have a process to handle multicast across bridge/vlans! No, it's not. The topic is about link-local multicast and that's the way it is supposed to work. routerOS does in fact offer "real" multicast routing with PIM and multicast package. -Chris ...
by RackKing
Fri May 08, 2020 12:29 pm
Forum: Scripting
Topic: Mikrotik RouterOS automatic backup and update script
Replies: 13
Views: 6664

Re: Mikrotik RouterOS automatic backup and update script

Auto upgrade MT routers may fail. There has over the last years been several times bug has been introduced or change to some like Wifi that made the router stopped working. So a delay is minimum thing that should be in the script. But If I had lots of routers and lots of time, I would have setup a ...
by RackKing
Thu May 07, 2020 7:00 pm
Forum: General
Topic: hAP ac2 board in a difference case?
Replies: 6
Views: 1514

Re: hAP ac2 board in a difference case?

So, I picked up a hEX and ... the boards are identical size and layout - ports, power, usb, LEDs, etc. The hAP board will fit very nicely into the hEX case for anyone interested :-). Really? Nice find! I had not thought of that. When you say hEX, you mean this one ? Indeed RB750Gr3 - below are some...
by RackKing
Thu May 07, 2020 1:00 pm
Forum: General
Topic: hAP ac2 board in a difference case?
Replies: 6
Views: 1514

Re: hAP ac2 board in a difference case?

So.... I picked up a hEX and.... the boards are identical size and layout - ports, power, usb, LEDs, etc... The hAP board will fit very nicely into the hEX case for anyone interested :-).
by RackKing
Wed May 06, 2020 3:18 pm
Forum: General
Topic: hAP ac2 board in a difference case?
Replies: 6
Views: 1514

Re: hAP ac2 board in a difference case?

3D printing? You could design a brand new device, RackKingTik ac² ;) Ah... very nice - that has a nice ring to it! I am doing some 3d printing. The OEM hAP ac2 case is anything but square, tapering in all directions - ugh. Modelling that would be a nightmare, but I might be able to do a rectangle f...
by RackKing
Wed May 06, 2020 6:18 am
Forum: General
Topic: hAP ac2 board in a difference case?
Replies: 6
Views: 1514

hAP ac2 board in a difference case?

Can the hAP ac2 board fit into any other case - like a hEX case? Front port connectors look the same. I do not have hex handy to open. The RB450Gx4 is very close to the performance of the hAP ac2..... I need a square case and don't use the Wi-Fi anyway.

Thoughts?
by RackKing
Thu Apr 30, 2020 5:52 pm
Forum: Scripting
Topic: Mikrotik RouterOS automatic backup and update script
Replies: 13
Views: 6664

Re: Mikrotik RouterOS automatic backup and update script

Hi - Thank you for all your great work on this! I have been testing it was great (perfect) success. I would like to offer a request for future enhancement. Some background.... The issue for me comes down the risks of auto update VS un-patched and updated systems in the wild. In my experience it is e...
by RackKing
Wed Apr 29, 2020 9:05 pm
Forum: General
Topic: Auto updating ROS - yeah or nay?
Replies: 7
Views: 1661

Re: Auto updating ROS - yeah or nay?

My opinion, as you've explicitly asked for it, is "yes to automatic update in terms of not logging in manually to every single device in my network, but no to each device blindly upgrading to the newest LTS release as soon as it appears on Mikrotik web". Whoever manages a large installed ...
by RackKing
Wed Apr 29, 2020 9:03 pm
Forum: General
Topic: Auto updating ROS - yeah or nay?
Replies: 7
Views: 1661

Re: Auto updating ROS - yeah or nay?

Since you explicitly asked me to donate my 5 cents ... I've nothing to add to @sindy's endless wisdom.
Wow can I get a refund :-) You can pile on.
by RackKing
Wed Apr 29, 2020 7:31 pm
Forum: General
Topic: Auto updating ROS - yeah or nay?
Replies: 7
Views: 1661

Re: Auto updating ROS - yeah or nay?

It is good and recommended to keep your Device up to date. But i do not think that this means that we should update to every single new release that comes out unless it Fixes a Security issue or a Bug that was causing problems to our setup... But this is just my opinion... Thanks Zacharias that mak...
by RackKing
Wed Apr 29, 2020 7:09 pm
Forum: General
Topic: hAP ac³ LTE6 kit use case?
Replies: 6
Views: 1290

Re: hAP ac³ LTE6 kit use case?

Thanks again for the feedback.

@sindy @mkx - If you two could chime in on my other post I would appreciated it.

I was hoping @anva would have some colorful input :-)

viewtopic.php?f=2&t=160551
by RackKing
Wed Apr 29, 2020 3:28 pm
Forum: General
Topic: Auto updating ROS - yeah or nay?
Replies: 7
Views: 1661

Auto updating ROS - yeah or nay?

I suspect his will be somewhat controversial and I hope to get many different "insightful" opinions :-) I have seen and dabbled with some the of the auto update scripts that are out there. Some of them do alerting, backups, stable/long-term channel choice, etc... - really well done. My que...
by RackKing
Wed Apr 29, 2020 2:10 pm
Forum: General
Topic: hAP ac³ LTE6 kit use case?
Replies: 6
Views: 1290

Re: hAP ac³ LTE6 kit use case?

"A huge advantage where there are a lot of LTE users in the area..." Don't they mean LTE service providers? No, users indeed. You have to read the previous sentences properly: It enables carrier aggregation, allowing you to use the LTE connection with speed up to 300 Mbps. It works by usi...
by RackKing
Wed Apr 29, 2020 1:03 pm
Forum: General
Topic: hAP ac³ LTE6 kit use case?
Replies: 6
Views: 1290

hAP ac³ LTE6 kit use case?

I saw this was released in the newsletter today. Is built in LTE designed to be used as a fail-over/aggregation in addition to a traditional broadband connection? I am surprised it does not have an external LTE antenna option. "A huge advantage where there are a lot of LTE users in the area...&...
by RackKing
Wed Apr 29, 2020 4:55 am
Forum: Scripting
Topic: Auto upgrade script
Replies: 20
Views: 28150

Re: Auto upgrade script

This has really been working out well. Thank you so much again. Jotne's comment is valid - perhaps that could be a tweak in future versions? From a scheduling frequency standpoint, would it be adequate to run this every 7 days? Or is one day more desirable to catch more critical security patches? Ju...
by RackKing
Thu Mar 26, 2020 9:11 am
Forum: General
Topic: IPV6 novice question....
Replies: 7
Views: 1723

Re: IPV6 novice question....

I did a quick test and L2TP server in RouterOS doesn't seem to listen on IPv6.
Thank you very much for this.
by RackKing
Thu Mar 26, 2020 9:11 am
Forum: General
Topic: IPV6 novice question....
Replies: 7
Views: 1723

Re: IPV6 novice question....

As mentioned unless your ISP provides you with an IPv6 WAN address there is no way they will be able connect directly using IPv6, so that is the starting point. If the Mikrotik L2TP server does not support IPv6 that will be a non-starter too. If they only have IPv6 their provider will be providing ...
by RackKing
Thu Mar 26, 2020 3:49 am
Forum: General
Topic: IPV6 novice question....
Replies: 7
Views: 1723

Re: IPV6 novice question....

IPv4 and IPv6 are two distinct protocols. Similar, but not the same. You can't have IPv6 addresses in IPv4 firewall. And since you ask about something so basic, I should point out that most important first step is to have IPv6 connectivity, which is not automatic, your ISP must provide it and many ...
by RackKing
Wed Mar 25, 2020 11:52 pm
Forum: General
Topic: IPV6 novice question....
Replies: 7
Views: 1723

IPV6 novice question....

HI, I have a 3011 setup with a L2TP/IPSEC VPN server and have create a white-list for remote clients. One of these clients has an IPV6 WAN address. I know I need to add the IPV6 package, but how much more involved is it beyond that. I am just looking for some advice to get started. Can I use the IPV...
by RackKing
Wed Feb 19, 2020 2:00 am
Forum: General
Topic: L2 adoption tool over VPN?
Replies: 0
Views: 1481

L2 adoption tool over VPN?

Hi,

I have a MT router on site with a l2tp/ipsec vpn up and running. I am connected remotely via with W10 client to the site to problem. I have a remote L2 adoption/configuration tool on my remote PC that I am tying to use over VPN. Is there a way to make this work?

Thanks in advance.
by RackKing
Wed Jan 29, 2020 6:42 pm
Forum: Scripting
Topic: Auto upgrade script
Replies: 20
Views: 28150

Re: Auto upgrade script

Here is my version of auto-upgrade script, it has many features such as backup to your email before performing RouterOS upgrade process
https://github.com/beeyev/Mikrotik-Rout ... and-update
This looks fantastic - thank you for this.
by RackKing
Wed Jan 29, 2020 6:27 pm
Forum: RouterBOARD hardware
Topic: Hardware Wishlist
Replies: 18
Views: 6528

Re: Hardware Wishlist

I would love to see:
RB4011 with M.2 LTE & USB 3 port.
+ change form factor to real rack mount chassis, i.e. 3011rm... and while at it, add the buzzer back.
by RackKing
Thu Dec 26, 2019 5:46 pm
Forum: Beginner Basics
Topic: get Alert by email on new Device [SOLVED]
Replies: 19
Views: 8612

Re: get Alert by email on new Device [SOLVED]

Very nice - thank you. Nice Addition to the script add filter rule to block mac address from using internet :local recipient "someemail@server.com" /ip dhcp-server lease :if (($leaseBound=1) && ([/ip dhcp-server lease find where dynamic mac-address=$leaseActMAC]!="")) do ...
by RackKing
Sun Dec 08, 2019 12:51 am
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311617

Re: Feature requests

double
by RackKing
Sun Dec 08, 2019 12:50 am
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311617

Re: Feature requests

Add an "interface watch" for link-up / link-down functionality to script in. Similar to Netwatch host.
by RackKing
Sun Dec 08, 2019 12:49 am
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311617

Re: Feature requests

Add an "interface watch" for link-up / link-down functionality to script off of. Similar to Netwatch.
by RackKing
Sat Dec 07, 2019 2:12 am
Forum: General
Topic: VLAN security - ingress filtering questions.
Replies: 4
Views: 1470

Re: VLAN security - ingress filtering questions.

priority-tagged ... I've never seen ones, but legend goes that if one wants to use QoS field, that one comes as 802.1Q tag (commonly referred to as VLAN tag, but there's more to it) with VID set to some invalid value (e.g. 0) ... which technically makes such frame "not untagged" ... in pa...
by RackKing
Sat Dec 07, 2019 12:42 am
Forum: General
Topic: "Netwatch" for interface status?
Replies: 2
Views: 704

Re: "Netwatch" for interface status?

anyone?
by RackKing
Sat Dec 07, 2019 12:42 am
Forum: General
Topic: VLAN security - ingress filtering questions.
Replies: 4
Views: 1470

Re: VLAN security - ingress filtering questions.

Thanks anva -

Any idea what "priority" tag means?
How is the admit all any different from admit untagged and tagged?
by RackKing
Fri Dec 06, 2019 9:37 pm
Forum: General
Topic: VLAN security - ingress filtering questions.
Replies: 4
Views: 1470

VLAN security - ingress filtering questions.

I have been reading over pcunite's great article - "Using RouterOS to VLAN your network". Many thanks to him, this is a must read. Very, very well done. I am using some of his script to support my questions here. His post has got me thinking about a couple of questions I would like to get ...
by RackKing
Fri Dec 06, 2019 3:16 pm
Forum: General
Topic: "Netwatch" for interface status?
Replies: 2
Views: 704

"Netwatch" for interface status?

Is there a simple way to alert on the status of an interface - link up or down? Then do some alerting like you can in Netwatch?

I believe I can create a script to watch the interface and trigger - but it would need to run very frequently to be of value for me in this case.

Thanks in advance.
by RackKing
Fri Dec 06, 2019 12:44 am
Forum: General
Topic: Keep text notes / change log on router?
Replies: 11
Views: 1442

Re: Keep text notes / change log on router?

Thank you pe1ch and to all who responded.
by RackKing
Thu Dec 05, 2019 7:33 pm
Forum: General
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 57
Views: 23740

Re: Please add basic portScan tool ( port scanner scan )

+1

It would be a useful tool for remote network testing

agree - my +1
by RackKing
Thu Dec 05, 2019 6:47 pm
Forum: General
Topic: Keep text notes / change log on router?
Replies: 11
Views: 1442

Re: Keep text notes / change log on router?

What eworm wrote is right. Backups on the router itself are lost when the router no longer works, so they should be stored somewhere else. "github" is a webservice that hosts "git", which I use locally. This is a Linux program but it also exists for WIndows. However, there proba...
by RackKing
Thu Dec 05, 2019 5:18 pm
Forum: General
Topic: Keep text notes / change log on router?
Replies: 11
Views: 1442

Re: Keep text notes / change log on router?

Thanks again - I will look toward windows solutions. I looked at git hub in the past. Sounds like I will revisit it. I do like the idea of something local. It also serves as the backup for your configurations, keeping them in the router is not safe. Can you expand on this? What do you specifically m...
by RackKing
Thu Dec 05, 2019 4:37 pm
Forum: General
Topic: Keep text notes / change log on router?
Replies: 11
Views: 1442

Re: Keep text notes / change log on router?

There is a feature to set some text notes in the /system note command but it does not seem to be available anymore on the GUI. However, to do what you want I suggest to: - use the comment facility to indicate the purpose of config items like firewall rules etc. - get some version management softwar...
by RackKing
Thu Dec 05, 2019 3:29 pm
Forum: General
Topic: Keep text notes / change log on router?
Replies: 11
Views: 1442

Keep text notes / change log on router?

Hi,

Is there a way to store text notes for a change log on the router? I could create a dummy script, but that seems odd.

When I make changes and backup/export the configuration I would like to keep track of what I changed on that router. I am too old to remember anymore.....

Thanks
by RackKing
Thu Dec 05, 2019 3:58 am
Forum: Beginner Basics
Topic: get Alert by email on new Device [SOLVED]
Replies: 19
Views: 8612

Re: get Alert by email on new Device [SOLVED]

I've got this script from a search but also no email sent when a new device connected to network I put it in dhcp server alert with default settings of new alert :local recipient "someemail@soemserver.com" /ip dhcp-server lease :if ($leaseBound = 1) do={ :do { :tool e-mail send to=$recipi...
by RackKing
Sun Nov 24, 2019 8:19 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM power supply question
Replies: 14
Views: 3751

Re: RB4011iGS+RM power supply question

So.... I did some testing with a 4011, 3011, and hAP ac^2. I measured these using a Kilowatt EZ P3 using the appropriate OEM PSU. I had 5 Ethernet devices connected when taking the measurements. RB4011 Specifications PSU: 24V - 1500mA Max Power: 33 W Max without attachments: 18 W Measurements Amps: ...
by RackKing
Sat Nov 23, 2019 8:07 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM power supply question
Replies: 14
Views: 3751

Re: RB4011iGS+RM power supply question

Can someone tell me why the manufacturer gives this product with a 24V 1.5A since as you say it works with no problem at 24V 0.8A? For me the answer is that there is a reason for this. Am just really curious to have your opinion since you easily ignore the PS ratings the manufacturer gives for his ...
by RackKing
Sat Nov 23, 2019 8:06 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM power supply question
Replies: 14
Views: 3751

Re: RB4011iGS+RM power supply question

Can someone tell me why the manufacturer gives this product with a 24V 1.5A since as you say it works with no problem at 24V 0.8A? For me the answer is that there is a reason for this. Am just really curious to have your opinion since you easily ignore the PS ratings the manufacturer gives for his ...
by RackKing
Sat Nov 23, 2019 5:53 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM power supply question
Replies: 14
Views: 3751

Re: RB4011iGS+RM power supply question

Specs say that max power draw without attachments (whatever those might be) is 18W. At 24V that translates to 0.75A. If your old 2011 came with 24V 1.2A power adapter, then you should be fine. Only Krishna knows if the old PA is still capable of delivering its rated current though ... Thanks mxk. O...
by RackKing
Sat Nov 23, 2019 12:49 am
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM power supply question
Replies: 14
Views: 3751

Re: RB4011iGS+RM power supply question

Since it comes with a PS of 24V 1.5A that is the suggested.
Otherwise you should measure the current draw of the device unter full load and see how much current it draws.
I can do that I was just searching for the simple answer first .....
by RackKing
Fri Nov 22, 2019 11:03 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM power supply question
Replies: 14
Views: 3751

Re: RB4011iGS+RM power supply question

I would never use a Power supply of a lower rating than the manufacturer suggests.
Personally i would extend the cable if needed.
Yes I'm just not sure what the manufacturer suggests
by RackKing
Fri Nov 22, 2019 5:18 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM power supply question
Replies: 14
Views: 3751

RB4011iGS+RM power supply question

Hi, First let me say the rack mount ears for the RB4011iGS+RM are simply terrible. Ugh. Second - I replaced an older 2011 with a 4011. The 4011 PS cable is shorter than the 2011 and too short to reach. Does anyone know the max amp draw of the 4011. I see the amp draw per port - but not the draw for ...
by RackKing
Thu Nov 21, 2019 5:19 pm
Forum: General
Topic: System note popup every login now?
Replies: 4
Views: 2069

Re: System note popup every login now?

It is expected in the latest RouterOS versions. You can disable it with: /system note set show-at-login=no Can i disable it only in Winbox logins? That is a good question - it used to popup every time a new terminal was opened. Now it seems to do both - winbox log in and new terminal. I probably mi...
by RackKing
Tue Nov 19, 2019 10:02 pm
Forum: General
Topic: Winbox help - make new entry VS overwrite?
Replies: 8
Views: 1057

Re: Winbox help - make new entry VS overwrite?

I can create a Static DNS name for the router and use that. Any other ideas?
by RackKing
Tue Nov 19, 2019 3:20 pm
Forum: General
Topic: System note popup every login now?
Replies: 4
Views: 2069

Re: System note popup every login now?

It is expected in the latest RouterOS versions. You can disable it with:
/system note set show-at-login=no
Ok - thanks
by RackKing
Tue Nov 19, 2019 3:19 pm
Forum: General
Topic: Winbox help - make new entry VS overwrite?
Replies: 8
Views: 1057

Re: Winbox help - make new entry VS overwrite?

one thing you can do is to change default winbox port 8291 to something different in one of the routers in that way you can add two routers with the same IP addreses i tried this and it worked Thanks for this .... but then I would have to use different ports for each one. Looks like no easy way to ...
by RackKing
Tue Nov 19, 2019 1:06 pm
Forum: General
Topic: System note popup every login now?
Replies: 4
Views: 2069

System note popup every login now?

I have updated winbox and am using the latest stable 6.45.7. Every login via winbox reveals the system not popup - not just note at top of terminal.

Is this now the expected behavior and I just missed it?
by RackKing
Tue Nov 19, 2019 12:33 pm
Forum: General
Topic: Winbox help - make new entry VS overwrite?
Replies: 8
Views: 1057

Re: Winbox help - make new entry VS overwrite?

Can anyone provide some feedback? Any work around?
by RackKing
Sun Nov 17, 2019 9:25 pm
Forum: General
Topic: Winbox help - make new entry VS overwrite?
Replies: 8
Views: 1057

Re: Winbox help - make new entry VS overwrite?

Update your winbox, clear its cache and test again.
Thanks for this - unfortunately it did not work. It keeps updating.

Anyone else? Is this the expected behavior?
by RackKing
Sun Nov 17, 2019 8:55 pm
Forum: General
Topic: Winbox help - make new entry VS overwrite?
Replies: 8
Views: 1057

Re: Winbox help - make new entry VS overwrite?

Update your winbox, clear its cache and test again.
I will give the cache a shot.
by RackKing
Sun Nov 17, 2019 2:34 am
Forum: General
Topic: Winbox help - make new entry VS overwrite?
Replies: 8
Views: 1057

Winbox help - make new entry VS overwrite?

so.... I am creating an entry of 192.168.88.1 with a user name of JimBob and some huge password. I also may add it to a Group like Company XYZ, and perhaps provide a location Note=SunnyPlace. I then use a VPN to access said 88.1 router. Life is good. When I add another router with that same IP (192....
by RackKing
Wed Nov 13, 2019 3:02 pm
Forum: General
Topic: Get bridge mac address for to use in a script [SOLVED]
Replies: 4
Views: 1025

Re: Get bridge mac address for to use in a script [SOLVED]

For all named objects, you can actually replace [find name=xxx] by just xxx in the get (and other) commands.
Thank you - that is very helpful for me. No I just need to remember :-).
by RackKing
Wed Nov 13, 2019 2:40 pm
Forum: General
Topic: Get bridge mac address for to use in a script [SOLVED]
Replies: 4
Views: 1025

Re: Get bridge mac address for to use in a script [SOLVED]

Does
/ip dhcp-server alert add alert-timeout=10m disabled=no interface=bridge valid-server=[/interface bridge get [find name=bridge] mac-address]
not work?
Perfect - thank you.
by RackKing
Wed Nov 13, 2019 4:33 am
Forum: General
Topic: Get bridge mac address for to use in a script [SOLVED]
Replies: 4
Views: 1025

Get bridge mac address for to use in a script [SOLVED]

I am trying to write a script for rogue DHCP alerting to be used on a new router. I am trying to get bridge MAC address and plug it in automagically. Alert command: If I copy the command from another router that MAC is wrong. /ip dhcp-server alert add alert-timeout=10m disabled=no interface=bridge v...
by RackKing
Wed Nov 13, 2019 1:38 am
Forum: Scripting
Topic: Find bridge MAC address for script?
Replies: 0
Views: 1847

Find bridge MAC address for script?

I am writing a new script to add DHCP alerts to a new router. I need to grab the new router's bridge MAC address and use it in the valid servers filed. Is there a command I can use in my script to pull that?
by RackKing
Tue Nov 12, 2019 12:34 am
Forum: General
Topic: Winbox security/access using FW lists and/or IP service [SOLVED]
Replies: 8
Views: 1917

Re: Winbox security/access using FW lists and/or IP service [SOLVED]

Question 1 - What is the difference between these two approaches and their advantage or disadvantages? Is there ever a time you would use both? The firewall rules allow any type of connection to the router from your address list. While "available from" is tied to a specific service. Howev...
by RackKing
Mon Nov 11, 2019 6:15 pm
Forum: General
Topic: Winbox security/access using FW lists and/or IP service [SOLVED]
Replies: 8
Views: 1917

Re: Winbox security/access using FW lists and/or IP service [SOLVED]

I use both a. firewall input rule limited by source address list and in-interface list (not port specific as the admin I want full access)*** b. use ip services winbox that limits to specific IP (I add IPs when needed depending on what network I will be working within). c. for login System users d....
by RackKing
Mon Nov 11, 2019 5:30 pm
Forum: General
Topic: Winbox security/access using FW lists and/or IP service [SOLVED]
Replies: 8
Views: 1917

Re: Winbox security/access using FW lists and/or IP service [SOLVED]

Question 1 - What is the difference between these two approaches and their advantage or disadvantages? Is there ever a time you would use both? The firewall rules allow any type of connection to the router from your address list. While "available from" is tied to a specific service. Howev...
by RackKing
Mon Nov 11, 2019 4:26 pm
Forum: General
Topic: Winbox security/access using FW lists and/or IP service [SOLVED]
Replies: 8
Views: 1917

Winbox security/access using FW lists and/or IP service [SOLVED]

I have a few questions and will try and be as clear and concise as possible. My question is specific to these areas - I am not asking for "securing your router" in general items. Considering that, I understand you can limit router access via winbox with filter rules that look like this for...
by RackKing
Sun Nov 10, 2019 3:38 pm
Forum: General
Topic: Router access with Winbox using VPN [SOLVED]
Replies: 13
Views: 4856

Re: Router access with Winbox using VPN [SOLVED]

Thank you for this - are you saying add the user to an interface list? It looks like you can specify an interface list in the profile. I would need to create different VPN profiles as opposed to default. Do i have that right? You can create "L2TP Server Binding" interfaces for every user,...
by RackKing
Sun Nov 10, 2019 12:23 am
Forum: General
Topic: Router access with Winbox using VPN [SOLVED]
Replies: 13
Views: 4856

Re: Router access with Winbox using VPN [SOLVED]

Should I consider a port knock on prior to allowing a VPN connection? That's not needed. L2TP+IPSec will be secure enough. Then allow that IP address via a firewall filter input rule access to Winbox port 8291. Or you can allow access from the l2tp-in interface created for that user instead. Thank ...
by RackKing
Sat Nov 09, 2019 11:45 pm
Forum: General
Topic: Router access with Winbox using VPN [SOLVED]
Replies: 13
Views: 4856

Router access with Winbox using VPN [SOLVED]

Just looking for confirmation and/or recommendations to further harden. For remote access, I am planning on using a L2TP/IPSec VPN connection. I am planning on giving the admin VPN user a specific IP address say 192.168.88.5. Then allow that IP address via a firewall filter input rule access to Winb...
by RackKing
Fri Nov 08, 2019 4:21 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Do not insert lists that are bigger than 63KiB, those would only will be loaded incomplete. # Written by Shumkov # Adapted by blacklister # 20191108 /ip firewall address-list :local update do={ :do { :local result [/tool fetch url=$url as-value output=user]; :if ($result->"downloaded" != ...
by RackKing
Fri Nov 08, 2019 10:49 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Do you have a dedicated link the fullbogons piece? I cannot seem to fined a direct url for it? Fullbogons_IPv4: http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt All bogon lists: https://www.team-cymru.com/bogon-reference-http.html Bogons via BGP: https://www.team-cymru.com/bogon-refere...
by RackKing
Thu Nov 07, 2019 2:13 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Thanks you for that.

Do you have a dedicated link the fullbogons piece? I cannot seem to fined a direct url for it?
by RackKing
Mon Nov 04, 2019 4:00 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Is there a way to check the file size and have it trigger the email tool if it gets beyond the max file size?
by RackKing
Mon Nov 04, 2019 2:29 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

That's right, I took FireHOL Level1 as the basis. I removed “Feodo Tracker” and “Ransomware Tracker”, replaced “Bambenek C2” with “Bambenek High-Confidence C2” (as Bambenek recommended it myself), and also removed “Fullbogons” - I get them using BGP. Makes perfect sense. Thank you again so much for...
by RackKing
Mon Nov 04, 2019 2:26 pm
Forum: General
Topic: DPI information solution?
Replies: 1
Views: 675

Re: DPI information solution?

anyone?
by RackKing
Mon Nov 04, 2019 2:56 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

malc0de

$update url=http://malc0de.com/bl/IP_Blacklist.txt description="Malc0de" delimiter=("\n")
by RackKing
Mon Nov 04, 2019 2:42 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Do not forget about file size - maximum 63 KiB . If the file size is larger than the maximum, only part of the file will be processed ( the first 63 KiB ), and the rest of the file will be discarded. FireHOL Level2 is bigger than 63 KiB :) What is general recommendation on how often to grab new lis...
by RackKing
Sun Nov 03, 2019 10:53 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Do not forget about file size - maximum 63 KiB . If the file size is larger than the maximum, only part of the file will be processed ( the first 63 KiB ), and the rest of the file will be discarded. FireHOL Level2 is bigger than 63 KiB :) What is general recommendation on how often to grab new lis...
by RackKing
Sun Nov 03, 2019 8:00 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Nice Work! I added FireHOL Level2 to the script as well, in case you're interested. Just added this line: $update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset description="FireHOL Level2" delimiter=("\n") -zeb This appears to fail fo...
by RackKing
Sun Nov 03, 2019 7:50 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Nice Work! I added FireHOL Level2 to the script as well, in case you're interested. Just added this line: $update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset description="FireHOL Level2" delimiter=("\n") -zeb This appears to fail fo...
by RackKing
Sun Nov 03, 2019 5:42 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Nice Work! I added FireHOL Level2 to the script as well, in case you're interested. Just added this line: $update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset description="FireHOL Level2" delimiter=("\n") -zeb This appears to fail fo...
by RackKing
Sun Nov 03, 2019 5:20 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 20915

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Hi - This looks great. I will give it a try. Update - I just run this and it works great - no errors and works perfectly What is general recommendation on how often to grab new lists - daily? Am I correct it removes or ignores duplicate entries? It would be great to keep this updated with additional...
by RackKing
Sat Nov 02, 2019 11:14 pm
Forum: General
Topic: DPI information solution?
Replies: 1
Views: 675

DPI information solution?

So.... I was asked about DPI statistics as provided by like say a Ubiquiti USG product. Do you have any recommendations for add on solutions to a MT to get this kind of data in a similar dashboard? The target would be for small to medium sized business.

Thanks in advance.
by RackKing
Wed Aug 07, 2019 4:24 pm
Forum: RouterBOARD hardware
Topic: WAN to LAN performance clarity sought...
Replies: 1
Views: 1221

WAN to LAN performance clarity sought...

Hi, I just want to make sure I am interpreting this correctly. Here is some basic info copied in from the Tik Site for 512 bytes hAP AC^2 - Routing 25 ip filter rules 986.3 RB3011 - Routing 25 ip filter rules 836.0 RB4011 - Routing 25 ip filter rules 2,560.8 I am looking at these devices for routing...
by RackKing
Thu Jul 25, 2019 5:33 pm
Forum: General
Topic: Firewall filter when port forwarded
Replies: 4
Views: 2263

Re: Firewall filter when port forwarded

Hi anav - On this - add chain=forward action=accept in-interface=WAN \ connection-state=new nat-connection-state=dst nat Does/should the connection state need to be new? Or does it matter? Thanks ... Okay your individual rules need to be in NAT, only one general firewall filter rule (forward chain) ...
by RackKing
Wed Jul 24, 2019 3:29 pm
Forum: Beginner Basics
Topic: Virtual AP Mac address... use same ones?
Replies: 1
Views: 559

Virtual AP Mac address... use same ones?

Hi, I have a script for hAP ac2 that has wifi settings. I notice that when I create a virtual AP it creates a random (I think) MAC address for it. I realize this a requirement. When I export that config and want to use it in another hAP - can I use the same MAC the original one generated? It has the...
by RackKing
Wed Jun 19, 2019 3:33 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

I have done some more testing on various versions of this script and typical failures that in my mind simulate a malicious attack.. Here are my findings. The script will work properly if the log messages is in this exact format: x.x.x.x phase 1 negotiation failed I believe this is when the VPN serve...
by RackKing
Tue Jun 18, 2019 3:21 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

7d does not work, max 24h, since field is just hour. Did you try then end of line $ ? :local loglist [:toarray [/log find message~"negotiation failed.\$"]] Ah - thank you for the clarification on the 24h part. The first time I ran that as I indicated in #22 I go nothing. How when I run it...
by RackKing
Tue Jun 18, 2019 2:46 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

I also went back to post #6 and re ran those scripts thinking that since we had different "negotation failed" messages these may work. But I did not receive out put from either. I did adjust the time back far enough to grab them. Below is the second one. :put [:toarray [/log find time>([/s...
by RackKing
Tue Jun 18, 2019 2:38 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

I was working with the script again in an effort to get it going - here is where I at. This: [ :local loglist [:toarray [/log find (message~"negotiation failed" || message~"src_ip")]] :foreach i in=$loglist do={ :local logMessage [/log get $i message] :local ip [:pick $logMessage...
by RackKing
Mon Jun 17, 2019 1:33 am
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

Again - thank you for your help. I really appreciate your help like to get his working. Here is the output from the first version https://i.imgur.com/zbjNFkZ.jpg Or this may do, make sure negotiation filed. is at the end of the line The second version did not pull anything. So the first version appe...
by RackKing
Sun Jun 16, 2019 4:41 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

Here is one where id work the IP and message = is the IP address

Image
by RackKing
Sun Jun 16, 2019 4:36 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

Thank you for your continued help in this.

This is a sample of what I get.... it is about 20-30 lines longer.

Image
by RackKing
Sun Jun 16, 2019 2:29 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

For clarity - when I use what I believe is the "within last 24 hour" part of the original script I get no output. [ :local loglist [:toarray [/log find time>([/system clock get time] -24h) message~"negotiation failed"]] :foreach i in=$loglist do={ :local logMessage [/log get $i m...
by RackKing
Sun Jun 16, 2019 2:11 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

For anyone who may see this - here is some code I have cobbled together to produce the following output. To be clear - this was code that Jotone wrote and is his credit. I am simply trying to find why it does not work for me. [ :local loglist [:toarray [/log find message~"negotiation failed&quo...
by RackKing
Sun Jun 16, 2019 12:47 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

Ok Jotne - Thank you for the links. I assume the script you posted works on your MTs? I would have thought that I could copy a working script and duplicate the results. I will struggle with it some more, but probably do not have the programming skills to work through it. Thanks again for your efforts.
by RackKing
Sun Jun 16, 2019 3:57 am
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

[ :local list [:toarray [/log find message~"negotiation failed"]] :put "ID-List" :put $list :put "" :put "Log lines" :foreach i in=$list do={ :put [/log print as-value where .id=$i]} ] So I ran that - and the log started filling up with lots of lines... I had...
by RackKing
Sun Jun 16, 2019 3:19 am
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

When I copy that in CLI I get the following - ID-List Log lines That is it - with two blanks between. The log is filled with at least 10 "negotiation failed" lines in the last 24 hours. Could the clock be causing a problem? The log is stored in memory - I assume that is ok as default? upda...
by RackKing
Sat Jun 15, 2019 2:50 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

Hi - Here is what happens with the first part - 1. dynamically created a FW address-list rule named IPSEC with and address of phase1. Timeout is correct. 2. Terminal L1: script=IPSEC_failed src_ip=phase1 3. Terminal L2: failure: already have such entry note: I deleted the previous phase1 entries for...
by RackKing
Sat Jun 15, 2019 3:25 am
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

Thanks Jotne - I will try it later and report back.
by RackKing
Fri Jun 14, 2019 4:00 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

I was trying to copy your original post in to the script windows and not CLI. Adding it Via CLI worked better. It ran and gave me a FW entry this time, but it does not pull the IP from the log entry. Here is the log add from the script: script=IPSEC_failed src_ip=phase1 That is the beginning of the ...
by RackKing
Fri Jun 14, 2019 2:31 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

When I add the all the script code via copy/paste it fails. So this must be some CR issue on my end.

I will try and sort it later.

Thanks for your help
by RackKing
Thu Jun 13, 2019 4:16 pm
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 2604

Re: L2TP/IPSec more than one shared secret? [SOLVED]

Got it - I understand and appreciate your comments.

Your concise explanations are great.
by RackKing
Thu Jun 13, 2019 2:33 pm
Forum: Scripting
Topic: Script to add IP of failed IPSEC login to block list
Replies: 28
Views: 6272

Re: Script to add IP of failed IPSEC login to block list

Thank you for this!
by RackKing
Thu Jun 13, 2019 1:32 pm
Forum: RouterBOARD hardware
Topic: Mikrotik SFP / Cisco
Replies: 3
Views: 1968

Re: Mikrotik SFP / Cisco

Probably not massively helpful for you but I successfully use the Cisco GLC-SX-MM SFP's in all of my MT devices. Dirt cheap on the second hand market as well.
Thanks for the tip - very helpful
by RackKing
Thu Jun 13, 2019 12:38 pm
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 2604

Re: L2TP/IPSec more than one shared secret? [SOLVED]

Thank you. For a road warrior scenario - is there an approach that will work? Alternative VPN or otherwise? As for firewall handling of the contractor, there is plenty of possibilities: you can set a specific remote-address in the contractor's /ppp secret item, or you can make that item refer to a d...
by RackKing
Thu Jun 13, 2019 4:35 am
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 2604

Re: L2TP/IPSec more than one shared secret? [SOLVED]

Thanks sindy - Can the address be the address assigned to the them in the /ppp /secrets local-address? So when those credentials are used they always get the same IP that I can use in FW filter rules? I am assuming that "Incoming connection requests from the IP address" refers to the contr...
by RackKing
Thu Jun 13, 2019 1:44 am
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 2604

Re: L2TP/IPSec more than one shared secret? [SOLVED]

Looks like there has to be a peer and an identity. Did not get it working.

It looks the the key in peer1 is taken from the L2TP server settings.
by RackKing
Wed Jun 12, 2019 2:16 pm
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 2604

L2TP/IPSec more than one shared secret? [SOLVED]

I have an L2TP/IPSec VPN server up and running on our Mikrotik. I would like to add a VPN user who is outside our organization (i.e. not our employee) in order gain access to certain assets for support. I know I can specify a remote address and use firewall filter rules with that address to limit ac...
by RackKing
Tue Jun 11, 2019 11:07 am
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 6
Views: 5874

Re: LT2P/IPSec VPN working no internet access [SOLVED]

Thank you again.
by RackKing
Mon Jun 10, 2019 2:43 pm
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 6
Views: 5874

Re: LT2P/IPSec VPN working no internet access [SOLVED]

"So either add an interface-list=LAN item to the /ppp profile" This looks like a cleaner way to do it. Should I add the interface-list=LAN to both the default and default-encryption profile? To test, I added it to the default-encryption profile and it worked. I did not realize you could dy...
by RackKing
Mon Jun 10, 2019 2:10 am
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 6
Views: 5874

Re: LT2P/IPSec VPN working no internet access [SOLVED]

Ok - good idea # jun/09/2019 17:49:01 by RouterOS 6.44.3 /interface vlan add interface=main_bridge name=main-v10 vlan-id=10 /interface list add name=WAN add name=LAN /ip pool add name=main ranges=192.168.254.50-192.168.254.199 add name=vpn ranges=192.168.50.50-192.168.50.80 /ip dhcp-server add addre...
by RackKing
Sun Jun 09, 2019 8:52 pm
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 6
Views: 5874

LT2P/IPSec VPN working no internet access [SOLVED]

Hi - I have an L2TP / IPSec VPN server configured and working (except for internet access) as per these instructions - https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP The VPN tunnel works and I can see the assets on the remote networks - as the firewall allows. The VPN network has a nat Masq ru...
by RackKing
Sun Jun 09, 2019 6:01 pm
Forum: General
Topic: Please check my FW rules for Unifi controller? [SOLVED]
Replies: 2
Views: 1106

Re: Please check my FW rules for Unifi controller? [SOLVED]

You've mixed things together in the filter rules. As you've combined the conditions which "new" packets must meet in order to be accepted with a condition saying they must not be "new" in a single rule, no "new" packet will ever go through, so no connection will ever b...
by RackKing
Sun Jun 09, 2019 5:16 pm
Forum: General
Topic: Please check my FW rules for Unifi controller? [SOLVED]
Replies: 2
Views: 1106

Please check my FW rules for Unifi controller? [SOLVED]

Hi, I have a Unifi controller behind a Mikrotik 3011 that works for my local gear. I want to add another site with APs that are at a friends house. I got the port list from https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used that need to be open. Can someone confirm my firewall rules ...
by RackKing
Sat Jun 08, 2019 5:56 pm
Forum: General
Topic: L2TP idle-timeout?
Replies: 0
Views: 592

L2TP idle-timeout?

Hi,

I am trying to terminate L2TP/IPSec VPN connections after 15 mins of inactivity.

I tired using PPP/Profile/Limits/Idle Timeout to make this happen it does not seem to work.

Any advice?
by RackKing
Fri Jun 07, 2019 10:45 am
Forum: Beginner Basics
Topic: DHCP reservation in or out of Pool/Scope?
Replies: 7
Views: 1352

Re: DHCP reservation in or out of Pool/Scope?

Thanks guys - that was what I was looking for.
by RackKing
Fri Jun 07, 2019 1:30 am
Forum: Beginner Basics
Topic: DHCP reservation in or out of Pool/Scope?
Replies: 7
Views: 1352

Re: DHCP reservation in or out of Pool/Scope?

Any ideas?
by RackKing
Fri Jun 07, 2019 1:29 am
Forum: General
Topic: Filter or NAT rule for ports Unifi?
Replies: 2
Views: 875

Re: Filter or NAT rule for ports Unifi?

anyone?
by RackKing
Thu Jun 06, 2019 3:31 pm
Forum: General
Topic: Filter or NAT rule for ports Unifi?
Replies: 2
Views: 875

Filter or NAT rule for ports Unifi?

What is the right way to do this - There is an main on premise Unifi server/controller running at 192.168.99.10. I need to allow remote owner Unifi gear in to see the controller for normal operation. Here are the ports Unifi has identified as required. - that all makes sense. https://help.ubnt.com/h...
by RackKing
Thu Jun 06, 2019 2:54 pm
Forum: Beginner Basics
Topic: DHCP reservation in or out of Pool/Scope?
Replies: 7
Views: 1352

DHCP reservation in or out of Pool/Scope?

This is more of a subjective questions, but... I want comment out some the DHCP leases the router is giving out. Most of the time this is done in conjunction with assigning a specific IP address outside of the pool/scope. I am not as concerned with what the IP address is - simply who/what the host i...
by RackKing
Thu May 23, 2019 3:01 pm
Forum: General
Topic: Mikrotik router with Windows Server DHCP Server?
Replies: 2
Views: 1560

Mikrotik router with Windows Server DHCP Server?

Hi, Question - I have a Tik router connected behind a sonicwall router running a 192.168.33.1/24 network. There is a Windows server running DHCP on that network at 192.168.33.6. I want to get clients connected to my Tik to pick up and address from that HDCP server at 192.168.33.6 - ISP >> Sonicwall ...
by RackKing
Thu May 16, 2019 2:17 pm
Forum: The Dude
Topic: The Dude IS Dead, really, isn't it?
Replies: 41
Views: 15490

Re: The Dude IS Dead, really, isn't it?

An update for anyone interested. I've just spent the last few weeks testing several different NMS packages. From licensed to free. Zabbix was a close contender, Solarwinds was simply outside of our price range. We've decided on NetXMS. NetXMS has ticked serveral major boxes for us. It may of easily...
by RackKing
Mon Jan 28, 2019 10:55 pm
Forum: General
Topic: DHCP philosophy - where/what is it best served by?
Replies: 9
Views: 1361

Re: DHCP philosophy - where/what is it best served by?

Not just for outlook clients, if your DNS is not good in AD setup, it will brake replication, etc. In an AD environment, use Windows for DHCP and DNS, they integrate with each other and serve a much bigger picture than just IP Addressing and Name resolution to browse the web, etc Thanks CZfan. I he...
by RackKing
Mon Jan 28, 2019 10:44 pm
Forum: General
Topic: DHCP philosophy - where/what is it best served by?
Replies: 9
Views: 1361

Re: DHCP philosophy - where/what is it best served by?

I manage all aspects of a network. Routers, switches, servers, video, VoIP, and pretty much anything else that gets an IP address. If there is a real server (or servers) on the network, one or more will be handling DNS, DHCP, and pretty much any other client/server type of service. Routers are quit...
by RackKing
Mon Jan 28, 2019 3:35 pm
Forum: General
Topic: DHCP philosophy - where/what is it best served by?
Replies: 9
Views: 1361

Re: DHCP philosophy - where/what is it best served by?

My view: DHCP server and DNS server are L3. If I'm in charge of L3 part of network infrastructure (i.e. address space allocation, perhaps some LAN DNS services[*]), then I'll request to deal with those services exclusively (doesn't matter if it's service running on top of some core router or dedica...
by RackKing
Mon Jan 28, 2019 2:59 pm
Forum: General
Topic: DHCP philosophy - where/what is it best served by?
Replies: 9
Views: 1361

DHCP philosophy - where/what is it best served by?

Hi, This is more of a general networking questions than a Tik questions for sure. I am curious to know what others are seeing currently and what the trend it. I suspect the answer moves depending on the market we are talking about. I currently deploy Mikrotik in to a wide range of scenarios from res...
by RackKing
Thu Dec 20, 2018 2:53 am
Forum: General
Topic: Chromecast across VLANs?
Replies: 4
Views: 1475

Re: Chromecast across VLANs?

Thanks for this. I am trying to get a PC to cast a chrome tab. I think the guest features only works with cast enabled apps from ios/android.

I wonder if Avahi works for this. I have never used it....
by RackKing
Wed Dec 19, 2018 4:11 pm
Forum: General
Topic: Chromecast across VLANs?
Replies: 4
Views: 1475

Re: Chromecast across VLANs?

Anyone?
by RackKing
Tue Dec 18, 2018 10:42 pm
Forum: General
Topic: Chromecast across VLANs?
Replies: 4
Views: 1475

Chromecast across VLANs?

How can I do this in ROS?
by RackKing
Tue Dec 11, 2018 6:06 pm
Forum: General
Topic: ISP modem reset causes MT dhcp client to get stuck at NAK
Replies: 0
Views: 613

ISP modem reset causes MT dhcp client to get stuck at NAK

This has become more of a problem recently, particularly when an ISP cable modem and Mikrotik router reset occurs due to power failure. The issue occurs when router's DHCP client makes a request prior to the modem being online and gets a private dhcp IP address from the ISP cable modem. When the lea...
by RackKing
Tue Dec 11, 2018 2:14 am
Forum: General
Topic: DHCP client script execution
Replies: 7
Views: 4061

Re: DHCP client script execution

I'll report what Wiki says: Script that will be executed after lease is assigned or de-assigned. Internal "global" variables that can be used in the script: leaseBound - set to "1" if bound, otherwise set to "0" leaseServerName - dhcp server name leaseActMAC - active m...
by RackKing
Mon Dec 10, 2018 10:43 pm
Forum: General
Topic: DHCP client script execution
Replies: 7
Views: 4061

Re: DHCP client script execution

I'll report what Wiki says: Script that will be executed after lease is assigned or de-assigned. Internal "global" variables that can be used in the script: leaseBound - set to "1" if bound, otherwise set to "0" leaseServerName - dhcp server name leaseActMAC - active m...
by RackKing
Mon Dec 10, 2018 5:50 pm
Forum: General
Topic: DHCP client script execution
Replies: 7
Views: 4061

DHCP client script execution

I see the DHCP client can execute a script. I cannot seem to make the script execute - under what circumstances should this trigger? I assumed a manual release would trigger the script. Or any change in the DHCP client status - any thoughts? Thanks.
by RackKing
Fri Dec 07, 2018 10:10 pm
Forum: General
Topic: Raw drop rule of a list... clarification needed.
Replies: 1
Views: 490

Raw drop rule of a list... clarification needed.

I have read this but want to make sure I understand correctly. If I have a "blacklist" created that is dropped bay a rule in raw - there is no need to drop it anywhere else? To put another way - anything in raw that gets dropped will never be seen by the input and forward chains in the fil...
by RackKing
Fri Dec 07, 2018 5:51 pm
Forum: General
Topic: Log prefix length limit from a FW rule?
Replies: 0
Views: 504

Log prefix length limit from a FW rule?

It appears there is a limit to log prefix from a FW rule. Is there a way to increase this? They seem to get cutoff with a ":"
by RackKing
Fri Dec 07, 2018 2:42 pm
Forum: General
Topic: NAT masq rule per src-address-list or one rule for everything? [SOLVED]
Replies: 4
Views: 919

Re: NAT masq rule per src-address-list or one rule for everything? [SOLVED]

@ mkx

"Order matters only within same chain. src-nat and dst-nat are different chains."

That makes perfect sense - thank you
by RackKing
Fri Dec 07, 2018 7:42 am
Forum: General
Topic: NAT masq rule per src-address-list or one rule for everything? [SOLVED]
Replies: 4
Views: 919

Re: NAT masq rule per src-address-list or one rule for everything? [SOLVED]

I have multiple masquerade rules but they are for each WANIP in a failover setup so its pretty clear cut. All LAN users are affected. However if I want to have specific users have their private IPs translated by a specific WANIP, then using source address list in the equation OR source interface li...
by RackKing
Fri Dec 07, 2018 3:23 am
Forum: General
Topic: NAT masq rule per src-address-list or one rule for everything? [SOLVED]
Replies: 4
Views: 919

NAT masq rule per src-address-list or one rule for everything? [SOLVED]

Hi - this is probably a silly question, but... I know the default NAT masq rule is: /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN Is the this single rule the defector standard? I have read/seen where this ha...
by RackKing
Thu Dec 06, 2018 6:38 pm
Forum: General
Topic: Interface-list VS firewall address-list best practices and approach?
Replies: 8
Views: 1823

Re: Interface-list VS firewall address-list best practices and approach?

I use a mixture of both. As you mentioned, Interface List is like "Zone" based, "trusted", "untrusted", etc. but sometimes need to be more granular, then I use Address Lists, etc Thanks CZFan - the granular part makes good sense. Never thought of it like that. I am sti...
by RackKing
Thu Dec 06, 2018 6:34 pm
Forum: General
Topic: Interface-list VS firewall address-list best practices and approach?
Replies: 8
Views: 1823

Re: Interface-list VS firewall address-list best practices and approach?

I too do similar with my setup. Interface list as an example "WANs" for my 2 WAN interfaces which is good for firewall & NAT rules and make use of address lists in multiple ways. I think of it more as interface-list for hardware interfaces and address-lists for IP related. Sometimes b...
by RackKing
Thu Dec 06, 2018 2:40 pm
Forum: General
Topic: Interface-list VS firewall address-list best practices and approach?
Replies: 8
Views: 1823

Interface-list VS firewall address-list best practices and approach?

I was thinking about how to use these more effectively and efficiently. I typically use an interface-list for WAN and MGMT but use firewall address-list for LAN segregation. Most of the time ether1 is the only interface in the WAN list so I am not sure what I am really saving. I suppose it is easier...
by RackKing
Wed Dec 05, 2018 8:16 pm
Forum: Wireless Networking
Topic: DPSK Dynamic WPA2 PSK support [SOLVED]
Replies: 8
Views: 7768

Re: DPSK Dynamic WPA2 PSK support [SOLVED]

Furthermore, you can associate a RADIUS to manage the mac-address/password association. There are few presentations that covered this topic. MikroTik was there for ages, too bad they didn't use it as a good advertisement. Do you have a link to the presentations? I assume you mean youtube, but I can...
by RackKing
Tue Dec 04, 2018 2:57 pm
Forum: General
Topic: Sonos across VLANs?
Replies: 38
Views: 11137

Re: Sonos across VLANs?

Are you saying that the smart phone and the SONOS will have to be on the same VLAN in the house?? Yes. Unless you implement either of the two solutions above (properly configured igmp-proxy or PIM) thus allowing you to connect controllers PCs, iPhone app, etc... with Sonos equipment Connects, Amps,...
by RackKing
Tue Dec 04, 2018 2:23 pm
Forum: General
Topic: Feature request for v7.x
Replies: 282
Views: 79815

Re: Feature request for v7.x

mDNS server for Chromecast/Bonjour/ZeroConfig across VLANs.

WiFi networks are too big to have all the available devices all bridged to the LAN.

Would be nice to then firewall what devices are discoverable.
m2
by RackKing
Tue Dec 04, 2018 2:05 pm
Forum: General
Topic: Sonos across VLANs?
Replies: 38
Views: 11137

Re: Sonos across VLANs?

Hi anav - Sorry for the late reply. Yes the sonos is very different and relies the controller PC or app to see broadcast/multicast traffic in order to work. Control is all local and the services come through the cloud. They can create there own hidden "sonosnet" wi-fi mesh on 2.4 which can...
by RackKing
Mon Dec 03, 2018 4:28 pm
Forum: Beginner Basics
Topic: Routing between 2 Subnets
Replies: 22
Views: 8256

Re: Routing between 2 Subnets

@RackKing: Yes, My Sonos Speakers are in VLAN30 and the controllers are accross different Subnets.It works for me, but sometimes it takes some time until a controller finds the Sonos players (especially the Android widget). For updates it is recommended to join one controller to VLAN30, otherwise y...
by RackKing
Sun Dec 02, 2018 9:14 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

I guess the reason for things stopping with use-ip-firewall-for-vlan is that you allow DNS requests from interface list LAN, but that one doesn't contain ether ports ... and those are ports seen by firewall when used for vlan filtering.. I gave the above a shot and moved to and scr address list as ...
by RackKing
Sun Dec 02, 2018 9:00 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Out of curiosity, why do you want to use firewall on traffic between hosts in vlan90 iff they communicate via routerboard? Vlan firewall doesn't add security for devices which are not in same vlan (their traffic will pass the usual IP firewall anyway) and doesn't filter anything if devices can talk...
by RackKing
Sun Dec 02, 2018 8:55 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Well, when I started writing my response, your configuration export wasn't there yet, and I haven't noticed it to appear while sending my response. The dstnat chain of nat is also part of the "prerouting" path through the IP firewall, so I would suspect that the action=redirect may get co...
by RackKing
Sun Dec 02, 2018 8:06 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Hi sindy,

The only thing running in the raw on mangle section are the dummy Fasttrack counters. I assume those would not cause any issue?

Anything else I should check?

Thanks.
by RackKing
Sun Dec 02, 2018 7:20 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Hi sindy - thanks for taking the time to help. Well yes - to put it a different way. The firewall works as I desire, but when I added the NAT redirect rule the clients stop getting DNS resolution from the router. This is with the use-ip-firewall and use-ip-firewall-for-vlan enabled on the bridge. Th...
by RackKing
Sun Dec 02, 2018 5:05 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

Re: DNS stops working with Bridge use IP Firewall & IP VLAN?

Thank you all for your replies. I have narrowed it down some, but must admit I am not sure why it is failing to work. I have a NAT redirect rule for DNS. That is the rule the stops the DNS from resolving with IP firewall and VLAN use turned on. When they are disabled DNS works fine. In torch - the m...
by RackKing
Sat Dec 01, 2018 9:56 pm
Forum: Beginner Basics
Topic: Routing between 2 Subnets
Replies: 22
Views: 8256

Re: Routing between 2 Subnets

@Spartacus I was thinking about your FW - nice. I have some questions to pile on :-). Sonos - do those rules allow another user on one subnet to control and connect via the Sonos ap to the hardware on a different subnet? Seems like a good idea to keep the "noisy" sonos equipment on its own...
by RackKing
Fri Nov 30, 2018 11:48 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

Re: DSN stops working with use IP Firewall & IP VLAN?

Thank you for your reply. The system is working with this unchecked. I have an input rules working that allows in UDP, TCP requests from the lan port 53 while blocking WAN requests. Name resolution is working properly. When I turn on Bridge / use IP firewall /use VLAN that rule stops running. There ...
by RackKing
Fri Nov 30, 2018 9:59 pm
Forum: General
Topic: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?
Replies: 13
Views: 2188

DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Hi, I have some VLANs running on one main bridge. Everything is working with use IP Firewall turned off, but when I turn it on DNS resolution stops working. I have the appropriate DNS rules to allow input to router from these networks specified with address lists. Vlan filtering is used on the bridg...
by RackKing
Thu Nov 29, 2018 10:44 pm
Forum: General
Topic: Firewall Questions
Replies: 8
Views: 1600

Re: Firewall Questions

Good stuff - great read!
by RackKing
Wed Nov 28, 2018 5:45 am
Forum: RouterBOARD hardware
Topic: hAP ac2 slides in the case?
Replies: 1
Views: 763

Re: hAP ac2 slides in the case?

So - I took the case apart and indeed the board was not seated into the slots at the back of the case properly. It also explains why the LEDs were not very bright as well. I gently pried up in the bottom slot by the power input with a thin screwdriver and the front retaining bracket came off. I have...
by RackKing
Wed Nov 28, 2018 5:23 am
Forum: RouterBOARD hardware
Topic: hAP ac2 slides in the case?
Replies: 1
Views: 763

hAP ac2 slides in the case?

I have gotten a couple of these - the board slides about 1/4" with the case front to back. Anybody else see this? So when you plug an cable in the board slides backward and hits the back of the case I presume. Pull the cable and the whole things slides forward and stops. Perhaps I can open the ...
by RackKing
Sat Nov 24, 2018 2:17 pm
Forum: General
Topic: Logging email action adding firewall prefix to logs that don't have them?
Replies: 1
Views: 500

Logging email action adding firewall prefix to logs that don't have them?

Hi, I have a logging rule designed to send an email if the firewall action log contains a prefix "must match" for example. The firewall rule works correctly and adds the prefix to the log like "must match input: xxxxxx...." The problem is the logging rule seems to attach that pre...
by RackKing
Thu Nov 22, 2018 3:43 pm
Forum: General
Topic: Why blacklist burteforcers VS just dropping the ports/service?
Replies: 7
Views: 1289

Re: Why blacklist burteforcers VS just dropping the ports/service?

Pre-empting the worst is probably the best summary.
If they're poking at certain ports when they shouldn't then you probably don't want them poking at anything.
This makes a great deal of sense to me - thanks.

Good discussion - thanks to all who responded.
by RackKing
Wed Nov 21, 2018 4:17 pm
Forum: General
Topic: Why blacklist burteforcers VS just dropping the ports/service?
Replies: 7
Views: 1289

Why blacklist burteforcers VS just dropping the ports/service?

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action? If you have the IP/Services turned for all those is there ...
by RackKing
Wed Nov 21, 2018 7:11 am
Forum: General
Topic: Block MNDP with IP Neighbors running? [SOLVED]
Replies: 2
Views: 1296

Re: Block MNDP with IP Neighbors running? [SOLVED]

Despite the fact MNDP is located in /ip neighbor menu, it should be considered as L2 protocol because both dst-MAC and dst-IP are broadcasts. Due to that, /ip firewall (both filter and raw) see the packets but can't drop them. (personally I consider that as bug - either it should count matched pack...
by RackKing
Wed Nov 21, 2018 5:09 am
Forum: General
Topic: Block MNDP with IP Neighbors running? [SOLVED]
Replies: 2
Views: 1296

Block MNDP with IP Neighbors running? [SOLVED]

Hi, I am trying to allow only admin computers that are on a "Winbox_Admin" firewall address list to see the neighbor discovery results from winbox connections to MNDP UDP on port 5678. I want to leave Neighbors Discover settings on my management interface running but block the "result...
by RackKing
Sat Nov 17, 2018 11:50 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

Hi,

I have been blocking all udp 5678 packets input and forward chains with no luck. Anyone have some help - please?

Thanks
by RackKing
Fri Nov 16, 2018 4:34 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

Anybody else have a thought on this?
by RackKing
Thu Nov 15, 2018 7:16 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

is chain=input right? input is for traffic going to router itself. chain=forward maybe? Hi and thanks for your response. I have a rule for both chains now - the only one that ever generates any traffic is the input rule. The remote winbox pc is sending the MNDP broadcast to the input of the router ...
by RackKing
Thu Nov 15, 2018 5:53 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

So I made this firewall filter rule and drug it to the top.

chain=input action=drop protocol=udp dst-address=255.255.255.255 dst-port=5678 log=no
log-prefix=""

I still see the connection from the host winbox IP:5678.

Am I missing something?
by RackKing
Thu Nov 15, 2018 4:05 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

Just filter out UDP broadcast packets with destination 255.255.255.255 & port 5678 on the devices you don't want taking part in MNDP.
@icsterm Thank you very much. I will give it a shot!
by RackKing
Wed Nov 14, 2018 12:03 am
Forum: General
Topic: Sonos across VLANs?
Replies: 38
Views: 11137

Re: Sonos across VLANs?

Thank you for.posting this - could you expand a little bit? a sample config would help me get my head wrapped around it. Turning on igmp proxy on the interfaces but I have never use the other features.

Thanks for any help.
by RackKing
Tue Nov 13, 2018 6:33 am
Forum: General
Topic: Netinstall sending offer, but not installing [SOLVED]
Replies: 8
Views: 7413

Re: Netinstall sending offer, but not installing [SOLVED]

So.... thank you everyone for this thread and specifically to @Retral and @pukkita. I worked on this for a couple of hours.... it was maddening. I tried 3 different branded laptops win7 - 10 not luck until I found this thread. I think this thread should get referenced in the Wiki. FYI - I could get ...
by RackKing
Mon Nov 12, 2018 12:05 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

@docmarius That was my understanding thanks for the clarification. Discovery is a nice feature to make some things more convenient but I understand the reason for turning it off. I was contemplating leaving it running on my management interface. My concern is that if somebody gains access to an inte...
by RackKing
Sun Nov 11, 2018 3:45 am
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

If there is a way to limit the discovery from only showing up on specific interfaces let me know. "With a list you can activate a single interface" I am not talking about limiting what port it "discovers on" I want it to only report what it discovers to a single physical interfac...
by RackKing
Fri Nov 09, 2018 6:14 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

Re: IP Neighbor Discovery

As in the firewall address list?
by RackKing
Fri Nov 09, 2018 4:22 pm
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 1886

Re: Management Network for router access?

@R1CH - do you leave Neighbors Discover on for your management VLAN?
by RackKing
Fri Nov 09, 2018 4:18 pm
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 1886

Re: Management Network for router access?

On one of my bigger networks I have a dedicated management VLAN. RouterOS is firewalled on every interface except this VLAN, so it only performs routing. I have a Linux box on the management network running wireguard that allows me to remote in, I trust wireguard far more than any of the RouterOS V...
by RackKing
Fri Nov 09, 2018 4:12 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 4767

IP Neighbor Discovery

I understand the Neighbor Discovery Settings can only run on and interface list. So you can create a list <LAN> and Add and interface to it like <LAN-VLAN>. It will then discover devices that VLAN and advertise them to Winbox correct? Can you have the "advertised to only a single interface? My ...
by RackKing
Fri Nov 09, 2018 3:47 pm
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 1886

Re: Management Network for router access?

It's a great idea to have a management network if your end devices can be separated like that. Once you are in a SOHO/SMB environment then this becomes almost standard to have multiple LANs (/vlans). The trick is ensuring nobody simply plugs in to your MGMT network to access the devices. Ensuring y...
by RackKing
Thu Nov 08, 2018 3:18 pm
Forum: General
Topic: Ip Servcie/ Winbox/Available From VS Firewall
Replies: 0
Views: 489

Ip Servcie/ Winbox/Available From VS Firewall

How does the IP/Service/Winbox - "Available From" differ from an input rule with address-list in the firewall? Does one have priority over the other?
by RackKing
Thu Nov 08, 2018 4:42 am
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 1886

Re: Management Network for router access?

Thank you both for your replies.
by RackKing
Thu Nov 08, 2018 4:07 am
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 1886

Re: Management Network for router access?

I would really appreciate any feedback.
by RackKing
Wed Nov 07, 2018 3:39 pm
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 3100

Re: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

I don't think they overlap and I would implement Dude, Splunk and, in place of Cacti, Zabbix. Dude for management and very basic monitoring but it can do more. Splunk (I am using it's alternative Graylog) for log collecting, log analyzing and alerting. Zabbix for monitoring, graphing and alerting. ...
by RackKing
Wed Nov 07, 2018 2:14 pm
Forum: General
Topic: Management Network for router access?
Replies: 10
Views: 1886

Management Network for router access?

This is a SOHO/SMB focused question for the most part. I typically create a management network for devices like managed switches, APs, Power Devices, and other various widgets that are directly related to core network operations. I let them pull DCHP and then set a reservation out of the DHCP scope....
by RackKing
Wed Nov 07, 2018 2:45 am
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 383
Views: 118222

Re: RB4011

Just got my wired 4011 up in the lab.... I will play with it over the next week. Physically a solid device - but what I don't like > - miss the beep (dumb I know) - miss the LCD as it had customer curb appeal even though it was rarely used.... - think it should have USB - storage and WAN - I really ...
by RackKing
Tue Nov 06, 2018 8:02 pm
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 3100

Re: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

For monitoring stuff I do recommend Splunk as I have posted here: https://forum.mikrotik.com/viewtopic.php?t=137338 There are other nice program like NEDI that can be used to keep track of all your devices. Thanks for your reply! Do you use The Dude? I am thinking about using Splunk as well but it ...
by RackKing
Tue Nov 06, 2018 7:32 pm
Forum: General
Topic: HW Switch vs Bridge VLANs..... the future?
Replies: 8
Views: 1813

Re: HW Switch vs Bridge VLANs..... the future?

Here is a post where I am struggling to understand the VLAN :) https://forum.mikrotik.com/viewtopic.php?t=138232 I have read that thread about 10 times... it is good stuff. I am amazed at your visualizations and drawings - Visio? I could only dream of doing something that well laid out - great work.
by RackKing
Tue Nov 06, 2018 6:39 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 42373

Re: Blacklist Filter (Development Topic)

So maybe a dumb question... I did have a look a the Patreon page. What level would you recommend to an integrator like who would offer this to his customers as part of a annual service offering? I would bill them directly and purchase your service. I suppose I could buy a tier and then upgrade as I ...
by RackKing
Tue Nov 06, 2018 3:54 pm
Forum: General
Topic: HW Switch vs Bridge VLANs..... the future?
Replies: 8
Views: 1813

Re: HW Switch vs Bridge VLANs..... the future?

@Jotne thanks very much for your reply. I have not been brave enough to try and combine these approaches yet, but I can see where you can get the best of both worlds by doing so. I guess there is "no one bridge to rule them all"... :-) (sorry). it is curious that newer hardware does not ha...
by RackKing
Tue Nov 06, 2018 3:45 pm
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 3100

Re: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

Thank you for the reply. So much for a single pain of glass :-)
by RackKing
Tue Nov 06, 2018 4:44 am
Forum: General
Topic: Whitelist VS blacklist , CPU hit, throughput, etc... thoughts?
Replies: 3
Views: 770

Re: Whitelist VS blacklist , CPU hit, throughput, etc... thoughts?

Due to that, you can't consider blacklist as alternative to whitelists (which are useful only for incoming connections). It has different purpose and even with thousands of blocked IP's blacklist will not have significant impact on your CPU.
This was very helpful - and perhaps the end game.
by RackKing
Tue Nov 06, 2018 4:41 am
Forum: General
Topic: Whitelist VS blacklist , CPU hit, throughput, etc... thoughts?
Replies: 3
Views: 770

Re: Whitelist VS blacklist , CPU hit, throughput, etc... thoughts?

@vecernik87

Thank you very much for your thoughtful response. That helps me very much.
by RackKing
Tue Nov 06, 2018 2:46 am
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 3100

Re: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

Anyone? I was hoping @jotne would chime in as he is the splunk guy and spread some light on this topic.
by RackKing
Tue Nov 06, 2018 2:34 am
Forum: General
Topic: Whitelist VS blacklist , CPU hit, throughput, etc... thoughts?
Replies: 3
Views: 770

Whitelist VS blacklist , CPU hit, throughput, etc... thoughts?

Hi, I have been reading a great deal about all the various exploits going around and thinking about how to protect my networks better. I also have read about the interesting blacklist update projects that are being developed. One comment got me thinking about whitelisting vs blacklisting - the spiri...
by RackKing
Mon Nov 05, 2018 7:17 pm
Forum: RouterBOARD hardware
Topic: hap ac2 in a StationBox - Anyone? [SOLVED]
Replies: 2
Views: 1057

Re: hap ac2 in a StationBox - Anyone? [SOLVED]

um - I feel silly.... That is the ticket.
by RackKing
Mon Nov 05, 2018 6:48 pm
Forum: RouterBOARD hardware
Topic: hap ac2 in a StationBox - Anyone? [SOLVED]
Replies: 2
Views: 1057

hap ac2 in a StationBox - Anyone? [SOLVED]

Any feedback or pictures? Or another solution if you wanted to ceiling mount this. Thanks in advance.
by RackKing
Mon Nov 05, 2018 2:44 pm
Forum: The Dude
Topic: The Dude, Cacti, Splunk, NMS - where do the fit/overlap?
Replies: 6
Views: 3100

The Dude, Cacti, Splunk, NMS - where do the fit/overlap?

I am just trying to get his sorted in my mind. I am curious to know how these fit together, or don't. What is the typical use case, or better put how do yo use them. I primarily serve the SMB market. I am not a WISP, although I do a fair amount of PTP and PTMP installations :-). I am to the point wh...
by RackKing
Fri Nov 02, 2018 4:25 am
Forum: General
Topic: HW Switch vs Bridge VLANs..... the future?
Replies: 8
Views: 1813

Re: HW Switch vs Bridge VLANs..... the future?

it does even appear on the new RB4011 device. We need a standard layer to work with VLAN and let it sort itself out automatically. Thanks for the response.... wow I had no idea the new 4011 did not allow access to the switch chip config. Poor assumption on my part - thanks for setting me straight. ...
by RackKing
Fri Nov 02, 2018 3:55 am
Forum: General
Topic: HW Switch vs Bridge VLANs..... the future?
Replies: 8
Views: 1813

HW Switch vs Bridge VLANs..... the future?

I have spent countless hours reading posts form @sindy, @CZFan, @mkx, @efaden, @ dasiu, @Jonte, and many others who gratefully contributed to this topic on these forums. I cannot express how thankful I am for all your posts on this often confusing and complex topic. Sharing your knowledge and patien...
by RackKing
Wed Oct 31, 2018 1:35 pm
Forum: General
Topic: 6.41 to 6.43 ping across vlan stopped working.
Replies: 0
Views: 526

6.41 to 6.43 ping across vlan stopped working.

Same firewall rules - any idea where to start looking? The gateway for each vlan is responding to ping but the hosts are not.
by RackKing
Mon Oct 29, 2018 5:01 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 1333

Re: Advanced IP scanners locks up winbox access?

Right - no radius here. I have 3.18.

I still have the issue. I am going to do some more testing today,,,
by RackKing
Tue Oct 23, 2018 2:48 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 1333

Re: Advanced IP scanners locks up winbox access?

That is what happens to me as well.

Anyone?
by RackKing
Mon Oct 22, 2018 2:10 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 1333

Advanced IP scanners locks up winbox access?

Hi, I have used Advanced IP scanner for a long time with no issues. I use it to scan the network from a connected PC to get info on devices, IP, etc... it is easy and I like the export function. I know a similar scan can be done in winbox, but not as convenient from a test client without winbox.... ...
by RackKing
Wed Jun 13, 2018 5:03 am
Forum: General
Topic: VLAN, Trunk and access port help requested with 6.41 changes
Replies: 10
Views: 2667

Re: VLAN, Trunk and access port help requested with 6.41 changes

do it the old way... RB3011 connections ether1 - WAN ether2 - Trunk 1 (V100, V200, V300) ether3 - Trunk 2 (V100, V200, V300) ether4 - access port vlan 100 ether5 - access port vlan 200 1. make a bridge. br1 2. add ether2 and 3 to the bridge. 3 make vlan 100 and 200 as port to the bridge. vlan100_br...
by RackKing
Wed Jun 13, 2018 5:02 am
Forum: General
Topic: VLAN, Trunk and access port help requested with 6.41 changes
Replies: 10
Views: 2667

Re: VLAN, Trunk and access port help requested with 6.41 changes

Not sure I understand your last sentence. I am trying have VLAN 100 and 200 present (egress?) on ether2 to and 3 to pass tagged to a downstream switch. The Tags simply aren't there. I can confirm this with a test downstream switch and a Netool.io scan device. When I use your option 1 from the first...
by RackKing
Sat Jun 09, 2018 12:33 am
Forum: General
Topic: VLAN, Trunk and access port help requested with 6.41 changes
Replies: 10
Views: 2667

Re: VLAN, Trunk and access port help requested with 6.41 changes

The only mistake I can spot is that under /interface bridge port , you haven't set the pvid for the access ports ether4 and ether5 . So you have to add the pvid parameter to these lines in accord with the rules under /interface bridge vlan : /interface bridge port set [find interface=ether4] pvid=1...
by RackKing
Fri Jun 08, 2018 11:21 pm
Forum: General
Topic: VLAN, Trunk and access port help requested with 6.41 changes
Replies: 10
Views: 2667

Re: VLAN, Trunk and access port help requested with 6.41 changes

here is the config - note the default was left to keep it simple so I could connect. # jun/08/2018 15:16:55 by RouterOS 6.42.3 # software id = # # model = 2011UiAS /interface bridge add admin-mac=64:D1:54:1E:B4:AE auto-mac=no comment=defconf name=bridge add fast-forward=no name=my-bridge vlan-filter...
by RackKing
Fri Jun 08, 2018 11:07 pm
Forum: General
Topic: VLAN, Trunk and access port help requested with 6.41 changes
Replies: 10
Views: 2667

Re: VLAN, Trunk and access port help requested with 6.41 changes

Thanks for responding. I will have to build it from your option 2 and will post back.
by RackKing
Fri Jun 08, 2018 9:26 pm
Forum: General
Topic: VLAN, Trunk and access port help requested with 6.41 changes
Replies: 10
Views: 2667

VLAN, Trunk and access port help requested with 6.41 changes

Hi, First I would like to say thank you to the following members in no particular order: @sindy @CZFan and @acrul. I have read through your man post and a grateful for what I have gleaned. But - I have been really struggling this week trying to get this sorted. I am hoping someone can set me straigh...
  • 1
  • 2