Community discussions

MUM Europe 2020

Search found 52 matches

by usdmatt
Tue Feb 26, 2019 5:53 pm
Forum: General
Topic: Firewall not matching bridge traffic in interface list
Replies: 5
Views: 830

Re: Firewall not matching bridge traffic in interface list

I'll try going through your comments in order - I think you can delete this default rule which sticks around and is not so easy to find (static tab under IP DNS). I could remove the static DNS entry for "router", but I don't really see any harm in it being there. What is the purpose of the first rul...
by usdmatt
Tue Feb 26, 2019 3:39 pm
Forum: General
Topic: Firewall not matching bridge traffic in interface list
Replies: 5
Views: 830

Re: Firewall not matching bridge traffic in interface list

Config included below - Lan ports 1-5 are in a bridge Wan is 6 Wifi AP is in 10 simply as a standalone port with its own DHCP Both port10 and bridge-lan are in the lan interface list. Firewall rule for "lan" interface list is matching wifi packets but nothing through bridge-lan # feb/26/2019 13:29:5...
by usdmatt
Tue Feb 26, 2019 1:50 pm
Forum: General
Topic: Firewall not matching bridge traffic in interface list
Replies: 5
Views: 830

Firewall not matching bridge traffic in interface list

Hello, I've just upgraded a router (2011) that was running the older firmware that still used the master/slave options to the current version 6.44. As part of this it automatically created a bridge, and also seems to have added this to the "lan" interface list. However, it seems that the existing "a...
by usdmatt
Thu Jan 03, 2019 12:41 pm
Forum: General
Topic: PPPoE Rate Limiting / Shaping
Replies: 2
Views: 344

Re: PPPoE Rate Limiting / Shaping

Thanks for the links. I think I'm going to have to do a lot of testing.
by usdmatt
Thu Jan 03, 2019 12:05 pm
Forum: General
Topic: PPPoE Rate Limiting / Shaping
Replies: 2
Views: 344

PPPoE Rate Limiting / Shaping

Hello, We currently use a couple of CCR routers to handle PPPoE connections from our wireless users. I'm now looking at ways to try and improve our bandwidth management. Currently we just use the Mikrotik-Rate-Limit radius attribute, which sets up a simple queue for each user. This works fairly well...
by usdmatt
Thu Oct 11, 2018 3:56 pm
Forum: General
Topic: Can my ISP access my Mikrotik Router and make changes?
Replies: 7
Views: 944

Re: Can my ISP access my Mikrotik Router and make changes?

If the Mikrotik was supplied by the ISP then it's entirely possible they will give themselves remote access by adding an allow rule in the input chain from their network. We often do this as if we provide a Mikrotik, we tend to also look after it - Most people struggle to open a port on a basic web ...
by usdmatt
Wed Oct 03, 2018 2:14 pm
Forum: Beginner Basics
Topic: Need YouTube CIDR/Netmask
Replies: 8
Views: 1064

Re: Need YouTube CIDR/Netmask

nslookup would just give you the address(es) of the servers providing the basic website. I only get a single address returned, and it's highly unlikely that's the only address. On top of that, there are various other domains such as ytimg.com used to load parts of the website, most of which will be ...
by usdmatt
Thu Aug 16, 2018 11:17 am
Forum: General
Topic: Convert from Cisco to Mikrotik [SOLVED]
Replies: 7
Views: 1853

Re: Convert from Cisco to Mikrotik [SOLVED]

I'm sure you're right but is there any information from Mikrotik which shows that src-nat is preferred over masquerade? All I can find is a post from a few years ago from Mikrotik support saying there should be no visible performance difference. (https://forum.mikrotik.com/viewtopic.php?t=94776). I ...
by usdmatt
Tue Aug 14, 2018 3:21 pm
Forum: General
Topic: Convert from Cisco to Mikrotik [SOLVED]
Replies: 7
Views: 1853

Re: Convert from Cisco to Mikrotik [SOLVED]

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2 /ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.2.1 to-addresses=172.16.1.2 Also looks like last reply forgot to change destination network in the default nat rule /ip route add dst-ad...
by usdmatt
Fri Aug 10, 2018 11:32 am
Forum: General
Topic: internet speed
Replies: 1
Views: 395

Re: internet speed

I have connected my mikrotik CRS125-24G-1S-2Hnd to my home network and port 1 is connected tot het internet. Even though Mikrotik market this themselves as a "perfect SOHO gateway router", their switch products tend to suck at routing. This has a 600Mhx CPU, while a HEX S at 1/3 the price has a dua...
by usdmatt
Thu Aug 09, 2018 1:03 pm
Forum: General
Topic: ROS vs SWOS
Replies: 2
Views: 466

Re: ROS vs SWOS

If it's just a switch you probably could of got away with the cheaper CSS326 (2/3 the price here in the UK) I would expect the OS to make no difference in regard to switching as it's all done in hardware. SWOS is a bit easier to configure, and you could argue that it's impossible to accidentally con...
by usdmatt
Thu Aug 09, 2018 11:19 am
Forum: General
Topic: New Attack on WPA/WPA2 Discovered, Most Modern Routers Might be at Risk
Replies: 8
Views: 1926

Re: New Attack on WPA/WPA2 Discovered, Most Modern Routers Might be at Risk

Do I really understand this correctly, that when connecting to a router with one of these roaming protocols enabled, it sends out a hash which can be brute-forced to retrieve the PSK? Did no-one making the specs think this might be a problem? It's surprising it took this long to find considering the...
by usdmatt
Wed Aug 08, 2018 11:48 am
Forum: General
Topic: IntraVLAN speeds
Replies: 12
Views: 827

Re: IntraVLAN speeds

Have a look at the CPU usage when doing the transfer. The absolute max that router can handle according to the test results is 1.4Gbps in the most ideal situation (fast path & 1518 byte packets). It drops off heavily with smaller packets and filter rules. Fasttrack should help. Interestingly the wik...
by usdmatt
Wed Aug 08, 2018 11:12 am
Forum: General
Topic: Do not open port tcp/23 to your device from internet you will be hacked
Replies: 6
Views: 1348

Re: Do not open port tcp/23 to your device from internet you will be hacked

This isn't really a surprise for most people. Every service you run will get hit by attacks. Software like fail2ban has existed for years specifically to allow you to run a service (SMTP/HTTP/SSH/whatever) that is going to get abused, and automatically block repeated hack attempts. I've seen the ran...
by usdmatt
Wed Aug 08, 2018 11:03 am
Forum: General
Topic: IntraVLAN speeds
Replies: 12
Views: 827

Re: IntraVLAN speeds

What's the router you're using and the VLAN config?
by usdmatt
Mon Aug 06, 2018 3:47 pm
Forum: General
Topic: Output chain questions
Replies: 7
Views: 1712

Re: Output chain questions

Looks like that IP belongs to Mikrotik so it appears to be some cloud/time/package check to their servers. This recent reddit post had a similar issue and tried to establish exactly what connects out from the router - https://www.reddit.com/r/mikrotik/comments/94ru3u/cloudmikrotikcom_dns_queries/ Th...
by usdmatt
Mon Aug 06, 2018 2:43 pm
Forum: General
Topic: XBox One and Mikrotik
Replies: 6
Views: 3229

Re: XBox One and Mikrotik

This seems to be a common issue with the absolute overly secure router os. RouterOS by default functions as a perfectly standard NAT router. There is no reason a device designed to work behind NAT (which an Xbox should seeing as that's 99+% of the install base) should not work just as well as any o...
by usdmatt
Fri Aug 03, 2018 5:26 pm
Forum: Beginner Basics
Topic: Very noob security question
Replies: 2
Views: 509

Re: Very noob security question

Probably get some different opinions on this one. I have Mikrotik switches on my LAN with no firewall rules. If I did use the firewall I'd just end up with an allow from LAN ports, so I can get into it, which is the only way to get to it anyway, so any further drop rules would never match anything. ...
by usdmatt
Thu Aug 02, 2018 4:12 pm
Forum: General
Topic: Mikrotik in the news..bad news
Replies: 56
Views: 9048

Re: Mikrotik in the news..bad news

This already addressed for quite some time using interface lists in default configuration As you stated "people to mess with the firewall", default allow changed to default drop will not improve anything. Assuming you know to add the interface to the wan list... But yes this doesn't improve anythin...
by usdmatt
Thu Aug 02, 2018 3:27 pm
Forum: General
Topic: Mikrotik in the news..bad news
Replies: 56
Views: 9048

Re: Mikrotik in the news..bad news

As it was already pointed out, the default firewall rules do that. They block all until allowed by the user. I was referring to a implicit block that everything hits even if the firewall is empty (of course thought would have to be put in to what to do if someone deletes all the rules). Lots of peo...
by usdmatt
Thu Aug 02, 2018 2:57 pm
Forum: General
Topic: Mikrotik in the news..bad news
Replies: 56
Views: 9048

Re: Mikrotik in the news..bad news

I think he means the default action of "if not filters apply", which is a non issue given the factory "default" firewall filters. I did think which reading this post that maybe the firewall should default to deny with no rules, so you have to explicitly allow everything you want to go through. Some...
by usdmatt
Thu Aug 02, 2018 2:47 pm
Forum: General
Topic: Mikrotik in the news..bad news
Replies: 56
Views: 9048

Re: Mikrotik in the news..bad news

I agree Samot and co, I'm not really sure what Mikrotik can do about the kit out there that still isn't patched. These routers probably haven't been logged into at all for years. Unfortunately Mikrotik aren't big enough for this to have been global big news like it might be with Netgear/TPlink or bi...
by usdmatt
Wed Aug 01, 2018 4:30 pm
Forum: Wireless Networking
Topic: Best wireless setup for LAN
Replies: 2
Views: 647

Re: Best wireless setup for LAN

IT operator workstations and Voip phones connected via Wifi... Is cabling it definitely out of the question?
by usdmatt
Tue Jul 31, 2018 6:05 pm
Forum: General
Topic: Port isolation on CRS328-4C-20S-4S+
Replies: 1
Views: 344

Re: Port isolation on CRS328-4C-20S-4S+

Since RouterOS v6.43rc11...

Or set up VLANs.
by usdmatt
Tue Jul 31, 2018 5:53 pm
Forum: Beginner Basics
Topic: Natting Problem (HairPin Nat) [SOLVED]
Replies: 11
Views: 1224

Re: Natting Problem (HairPin Nat) [SOLVED]

Unless there is other constraints in your network, you should be able to access your mail server even without NAT being involved with simple routing (without your HairPIN NAT) I suspect they're accessing some hostname that resolves to the public IP address of the Mikrotik (1.1.1.1). The router will...
by usdmatt
Tue Jul 31, 2018 2:23 pm
Forum: Beginner Basics
Topic: Natting Problem (HairPin Nat) [SOLVED]
Replies: 11
Views: 1224

Re: Natting Problem (HairPin Nat) [SOLVED]

add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address= 192.168.0.0/16 src-address=192.168.0.0/16 out-interface=ether04 You want to be natting traffic going out vlan704 to the server coming from ether04, so that the source gets changed to the router's IP. That will cause replies from ...
by usdmatt
Tue Jul 31, 2018 11:15 am
Forum: Beginner Basics
Topic: Help with Basic VLAN [SOLVED]
Replies: 30
Views: 3395

Re: Help with Basic VLAN [SOLVED]

Create a vlan sub-interface on the bridge with your relevant vlan number. In "/switch vlan" create a vlan entry and add ether2 and switch1-cpu. You can also add other ports if they might handle vlan traffic. If it's something like an RB2011 you may need to add switch2-cpu to the list to use ports 6...
by usdmatt
Tue Jul 31, 2018 11:05 am
Forum: Scripting
Topic: src-address
Replies: 3
Views: 653

Re: src-address

Documentation seems really bad on this stuff.. It seems to work if the address is quoted: /ip fi fil print where src-address="192.168.10.0/24" Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward action=drop src-address=192.168.10.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" The fol...
by usdmatt
Mon Jul 30, 2018 3:14 pm
Forum: General
Topic: Mikrotik PPPOE SERVER WAN Addresses
Replies: 10
Views: 924

Re: Mikrotik PPPOE SERVER WAN Addresses

I wouldn't bother trying to distribute PPPoE to the customers, although I'm not sure exactly what you mean there. I would just do the following - Assign all the addresses to the Mikrotik. (you can just use as /32 netmask for all but the first address) Have a separate lan port for each customer (not ...
by usdmatt
Mon Jul 30, 2018 12:22 pm
Forum: Beginner Basics
Topic: adding vlans for VMs on Server 2012 [SOLVED]
Replies: 5
Views: 573

Re: adding vlans for VMs on Server 2012 [SOLVED]

What router do you have? I also assume that the router will act as the gateway for these vlans (you want to assign the .254 addresses to the Mikrotik?)
by usdmatt
Thu Jul 19, 2018 4:57 pm
Forum: General
Topic: CCR 1036 12G 4S - Low traffic
Replies: 11
Views: 988

Re: CCR 1036 12G 4S - Low traffic

Interesting that you have the exact same CCRs as us. We have a few hundred PPPoE sessions terminated on ours and one of our engineers suspected that DNS load was causing intermittent problems. We decided to just move DNS onto dedicated resolvers (we just set up a couple of linux vms), which accordin...
by usdmatt
Thu Jul 19, 2018 11:25 am
Forum: General
Topic: How to create a hybrid vlan access port without a trunk port?
Replies: 17
Views: 1978

Re: How to create a hybrid vlan access port without a trunk port?

Having a single port on vlan500 doesn't make much sense as it will be of no use. As far as I can see, all you need to do is create a "vlan500" bridge, and add ether5 to that. You'll end up with that port on its own with no connection to anything else. If you want other ports on the same vlan, just a...
by usdmatt
Wed Jul 18, 2018 5:02 pm
Forum: General
Topic: Disable port - "Couldn't change interface"
Replies: 1
Views: 862

Disable port - "Couldn't change interface"

I have an RB2011 which at this point just has a gateway connection on ether1, and a link to a LAN switch on ether2. Not that it's important, but I thought I may as well disable the rest of the ports for the time being to stop anyone messing around. However, I am able to disable every port other than...
by usdmatt
Wed Jul 18, 2018 4:15 pm
Forum: Beginner Basics
Topic: VLANS between Mikrotik Devices
Replies: 7
Views: 849

Re: VLANS between Mikrotik Devices

I think I might actually have it working!! In the end it seemed to come down to needing the cpu interface adding to the relevant vlans on both ends. I guess routeros won't handle packets destined for addresses assigned to itself over a vlan unless the cpu interface is a member of that vlan. If you'r...
by usdmatt
Wed Jul 18, 2018 12:58 pm
Forum: Beginner Basics
Topic: VLANS between Mikrotik Devices
Replies: 7
Views: 849

Re: VLANS between Mikrotik Devices

At the moment I'm just concentrating on the CRS125 as this is becoming far more of a major undertaking than I expected. I know it's my own lack of routeros understanding, but adding a few access ports and trunks seems far more awkward than anything else I've ever used. I have a device plugged into p...
by usdmatt
Wed Jul 18, 2018 11:23 am
Forum: Beginner Basics
Topic: VLANS between Mikrotik Devices
Replies: 7
Views: 849

Re: VLANS between Mikrotik Devices

Thanks for the reply. I assume if the RB2011 has access to both VLANs then routing will *just work*; Not that I actually need it in this instance. All I really need at the moment is a couple of workstations on a separate LAN, with their own gateway address on the RB2011 (which I'll then NAT to a dif...
by usdmatt
Tue Jul 17, 2018 4:31 pm
Forum: Beginner Basics
Topic: VLANS between Mikrotik Devices
Replies: 7
Views: 849

VLANS between Mikrotik Devices

I'm currently trying and failing to get a simple vlan working between a few Mikrotik devices (Unfortunately I seem to have ended up with a mix of devices which doesn't help). The more I look into it, the more different configuration guides I come across, and the whole lot is just making less and les...
by usdmatt
Wed Jun 27, 2018 1:18 pm
Forum: General
Topic: /ip cloud (ddns + time) = Error: request timed out (90% of time)
Replies: 9
Views: 10193

Re: /ip cloud (ddns + time) = Error: request timed out (90% of time)

Adding my own experience to this. Just had a reason to use this feature as I have a router on an ADSL connection and the user (aka my boss) wants a fixed name to access it. Thought no problem, I can use the cloud option, then just set him a nice dns entry under our domain with a cname to xyz.mynetna...
by usdmatt
Wed Jun 13, 2018 4:34 pm
Forum: Virtualization
Topic: FreeBSD Bhyve
Replies: 2
Views: 1596

FreeBSD Bhyve

Probably not of interest to a lot of people but I was surprised to see a single line about bhyve on the CHR wiki saying it will not be supported as it's paravirtualised. I was able to get CHR running using the raw image and the following configuration file for vm-bhyve. (I basically created a guest ...
by usdmatt
Wed Jun 13, 2018 4:23 pm
Forum: General
Topic: Looking for Free Wi-Fi Client Monitoring Software
Replies: 3
Views: 651

Re: Looking for Free Wi-Fi Client Monitoring Software

I've just been looking at using CHR on bhyve as I want to run a few tests that need more routers than I have lying around. Was a bit surprised to see the Wiki say it will never be supported as it's paravirtualised, especially as it's not paravirtualised. Thought I'd give it a go as I've had quite a ...
by usdmatt
Wed Nov 16, 2016 4:04 pm
Forum: General
Topic: PPPoE bandwidth limiting with contention
Replies: 0
Views: 495

PPPoE bandwidth limiting with contention

Hello, We currently use a couple of CCR routers to handle PPPoE connections from about 200 users. So far we are using simple queues to enforce bandwidth limits as it's pretty much completely automated (we return Mikrotik-Rate-Limit from radius when users connect), and it 'just works'. There are a co...
by usdmatt
Mon Feb 22, 2016 8:21 pm
Forum: General
Topic: Inter-VPN Traffic - Lost in Prerouting
Replies: 1
Views: 505

Re: Inter-VPN Traffic - Lost in Prerouting

Just to add some more to this, I've tested by replacing the London end with a test Mikrotik in our office. So I've assigned the 192.168.114.0/24 network to a test Mikrotik, disabled all the London VPN policies and recreated new policies pointing at my test device. With this everything works as expec...
by usdmatt
Mon Feb 22, 2016 1:34 pm
Forum: General
Topic: Inter-VPN Traffic - Lost in Prerouting
Replies: 1
Views: 505

Inter-VPN Traffic - Lost in Prerouting

I am currently having a lot of trouble trying to get traffic to pass between two IPSec VPNs on our Mikrotik RB2011. The setup looks a bit like this - Site A - USA Dell Watchguard Subnet: 192.168.12.0/24 Site B - London Draytek 3900 Subnet: 192.168.114.0/24 Data Centre - Midlands UK (Us) Mikrotik RB2...
by usdmatt
Fri Aug 08, 2014 5:11 pm
Forum: Beginner Basics
Topic: Routerboard 2011UiAS-2HnD with Cisco PVC300 and PoE
Replies: 1
Views: 875

Re: Routerboard 2011UiAS-2HnD with Cisco PVC300 and PoE

I suspect the camera uses 'normal' PoE (802.3af/at) which most off-the-shelf PoE switches provide. The Mikrotik kit all uses 'Passive PoE'. It's all incredibly confusing and I'm surprised the industry hasn't been forced to stop calling them both 'PoE'. The first converter you list seems to accept 80...
by usdmatt
Fri Aug 08, 2014 4:40 pm
Forum: General
Topic: Secure PPOE WAN
Replies: 1
Views: 562

Re: Secure PPOE WAN

I'm pretty sure you need to drop packets coming from the ppp interface. If it were me I'd just have my last rule as a drop all (no criteria/interface specified). That way nothing is getting through unless you've specifically allowed it. Just make sure you have an allow rule for traffic from your loc...
by usdmatt
Fri Aug 08, 2014 4:28 pm
Forum: General
Topic: Mikrotik-Group for PPPoE
Replies: 5
Views: 1840

Re: Mikrotik-Group for PPPoE

The manual says "Hotspot default profile for Hotspot users" so that value may only be valid for the Hotspot function. I'm not 100% on that but if you can get it working fine for hotspot but not PPPoE then it sounds likely. I know from my own testing that there are a lot of supported radius attribute...
by usdmatt
Fri Aug 08, 2014 4:08 pm
Forum: General
Topic: PPPOE SERVER Glitch
Replies: 14
Views: 4465

Re: PPPOE SERVER Glitch

Opening an old-ish thread but does anyone have any updates on this? Did Mikrotik ever respond? We had exactly the same problem last year (would probably be around the same time as the rest of the posts here) on a CRS-1036. We have two of the units and they were running 6.0 when installed (performing...
by usdmatt
Wed Oct 30, 2013 5:06 pm
Forum: General
Topic: RB2011 Default Port Configuration (Master/Bridge)
Replies: 18
Views: 10717

Re: RB2011 Default Port Configuration (Master/Bridge)

Yes, for my home RB2011 I've set port 6 as the gateway (BT's VDSL Modem only links at 100Mbps max by the look of it anyway) and I'm using 1-5 as a straight gigabit switch. For most purposes defaulting to WAN on port 1 is probably a waste of a gig port, although it's consistent with all other RouterB...
by usdmatt
Wed Oct 30, 2013 3:42 pm
Forum: General
Topic: RB2011 Default Port Configuration (Master/Bridge)
Replies: 18
Views: 10717

RB2011 Default Port Configuration (Master/Bridge)

Hello, I'm slowly getting up to speed on the intricacies or RouterOS/RouterBoards but one thing intrigues me about the default configuration on RB2011 devices (and maybe others). My understanding is that bridging ports involves the CPU (unless any RouterBoard's have fancy bridging hardware I'm not a...
by usdmatt
Wed Oct 30, 2013 3:23 pm
Forum: General
Topic: Cloud Core spi Process
Replies: 5
Views: 2797

Re: Cloud Core spi Process

Thanks leonset. Usually big companies are near impossible to get help from directly as an end user, which is why I thought I'd ask in the forums. That doesn't appear to be the case with Mikrotik though :D. They replied within minutes that this process is mainly involved with disk read/write and that...
by usdmatt
Tue Oct 29, 2013 6:42 pm
Forum: General
Topic: How to make sense of "Bytes Out" OID
Replies: 3
Views: 2511

Re: How to make sense of "Bytes Out" OID

The ifInOctets, ifOutOctets (Octets = bytes) SNMP values are counters that will continue to rise while the interface is up. What usually happens is that you read the value every few minutes (5 is common), then use the difference between the current value and the last reading to see the average trans...
by usdmatt
Tue Oct 29, 2013 6:26 pm
Forum: General
Topic: Cloud Core spi Process
Replies: 5
Views: 2797

Cloud Core spi Process

Hello, we have 2 Cloud Core routers (the original 4GB RAM ones) which are configured almost identically providing the following functions: PPPoE Server DNS Server Simple Firewall (Blocking P2P on forward chain and restricting access with about 10 input chain rules) Small OSPF Area (Makes sure PPPoE ...