Community discussions

Search found 896 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 18
by cdiedrich
Thu Aug 22, 2019 1:19 pm
Forum: Beginner Basics
Topic: mac address/Wifi connection
Replies: 1
Views: 90

Re: mac address/Wifi connection

WhatsApp uses end-to-end encryption, so you're basically safe. Even if an attacker captures your raw data stream of a conversation, they still have to decrypt it. I wouldn't say that it's impossible, but frankly not within reasonable amount of labor, time and skills. Assuming that your WiFi is alrea...
by cdiedrich
Tue Aug 20, 2019 12:56 pm
Forum: Scripting
Topic: Round decimal number [SOLVED]
Replies: 2
Views: 275

Re: Round decimal number [SOLVED]

Haven't found a real round function, but you may get lucky with this decimal calculation script and specify the decimal point place.
-Chris
by cdiedrich
Mon Aug 19, 2019 5:32 pm
Forum: Wireless Networking
Topic: upload speed down
Replies: 7
Views: 481

Re: upload speed down

The config looks good so far. There's still a dhcp-client active on wlan1 - since you're using pppoe you won't need dhcp. I can only think of a polarization and/or alignment issue here - check your signal levels, the rx levels on both chains should be pretty close, an imbalance of 6 or more dB is a ...
by cdiedrich
Mon Aug 19, 2019 1:20 pm
Forum: Beginner Basics
Topic: Learning about Dude
Replies: 1
Views: 143

Re: Learning about Dude

The answer to each of your questions is yes.
For testing/learing/evaluating, you should consider deploying a CHR instance via ova in your ESX environment. It doesn't have a 24h limit but is limited to 1MBps throughput in unlicensed state.
-Chris
by cdiedrich
Fri Aug 09, 2019 9:02 am
Forum: General
Topic: unknow packets broadcasted
Replies: 3
Views: 367

Re: unknow packets broadcasted

I'd say it's CDP messages to 01:00:0C:CC:CC:CC. Check your discovery settings and adjust your discovery interface list to just the interfaces really needed for discovery. -Chris Edit: After re-reading the post in terms of timing and looking at the amount of bridges (I now assume that there's a bridg...
by cdiedrich
Fri Aug 09, 2019 8:26 am
Forum: General
Topic: Slow transfer speeds on LAN
Replies: 4
Views: 441

Re: Slow transfer speeds on LAN

From first sight I'd say that it's bridge-related. You have two bridges on the same physical switch chip (which covers sfp and ether1-5). And hw-offload is only available for one bridge per switch chip. So I guess that your link-local traffic is going through the CPU. It looks that you don't really ...
by cdiedrich
Fri Aug 09, 2019 8:12 am
Forum: Beginner Basics
Topic: Split /24 public ip addresses [SOLVED]
Replies: 2
Views: 507

Re: Split /24 public ip addresses [SOLVED]

Pretty straight forward: /ip firewall address-list add list=wan.1 address=192.168.0.2 add list=wan.1 address=192.168.0.3 ... add list=wan.2 address=192.168.0.9 add list=wan.2 address=192.168.0.10 ...and so on /ip firewall nat add action=src-nat src-address-list=wan.1 to-address=add list=wan.1 addres...
by cdiedrich
Wed Aug 07, 2019 3:15 pm
Forum: Forwarding Protocols
Topic: Routing Subnets not published by my router
Replies: 6
Views: 671

Re: Routing Subnets not published by my router

Copy that - what a bummer. Now it really gets tricky and I'm not sure if it's possible at all. It might be worth a try to assign all addresses of all subnets to the router, give the machines other private subnets and create netmap rules for each and every IP address... Together with hairpin nat... W...
by cdiedrich
Wed Aug 07, 2019 10:27 am
Forum: Forwarding Protocols
Topic: Routing Subnets not published by my router
Replies: 6
Views: 671

Re: Routing Subnets not published by my router

The best way would be to talk to your ISP and let him give you control over your subnets, these should then typically be routed through a /30 transport subnet - one end their router, the other end your CCR.
-Chris
by cdiedrich
Mon Aug 05, 2019 5:37 pm
Forum: Beginner Basics
Topic: Restrict access to hEX Ethernet port only for wAP
Replies: 21
Views: 1451

Re: Restrict access to hEX Ethernet port only for wAP

I can think of a couple of scenarios: 1. Isolating the AP from the rest: Create a dedicated /30 transport network for this certain AP and make ARP on those two interfaces (ether on hEX, ether1 on AP) static. Configure seperate datapaths for all your WiFi networks for manager forwarding and apply the...
by cdiedrich
Mon Aug 05, 2019 11:49 am
Forum: Beginner Basics
Topic: Please help!!!!
Replies: 5
Views: 458

Re: Please help!!!!

If your router has a serial console, you might get lucky with access from there and probably a script logging you in and disabling your netwatch item. That shouldn't take longer than two seconds.
Good luck!
-Chris
by cdiedrich
Thu Aug 01, 2019 4:47 pm
Forum: Beginner Basics
Topic: AirPrint doesn't work
Replies: 7
Views: 877

Re: AirPrint doesn't work

If you didn't touch the data rates, then it should be good.
-Chris
by cdiedrich
Thu Aug 01, 2019 4:02 pm
Forum: General
Topic: DHCP error message [SOLVED]
Replies: 4
Views: 274

Re: DHCP error message [SOLVED]

Ooops... sorry, I was too quick reading your post. The error deals with dhcp client. That might be a heritage from the original config when ether1 was WAN.
It looks like you configured your device for bridging only or get WAN through SFP. So it should be safe just to remove that dhcp-client.
-Chris
by cdiedrich
Thu Aug 01, 2019 3:55 pm
Forum: General
Topic: DHCP error message [SOLVED]
Replies: 4
Views: 274

Re: DHCP error message [SOLVED]

Put the dhcp server on the bridge and not on physical interfaces being member of a bridge.
-Chris
by cdiedrich
Thu Aug 01, 2019 3:00 pm
Forum: Beginner Basics
Topic: AirPrint doesn't work
Replies: 7
Views: 877

Re: AirPrint doesn't work

Setting multicast-helper from 'default' or 'disabled' to 'full' should solve the issue.
Additionally, check if lower rates are disabled - I had this issue more than once when el-cheapo WiFi printers only worked reliably when lower rates were re-enabled.
-Chris
by cdiedrich
Wed Jul 31, 2019 4:24 pm
Forum: General
Topic: DNS setting via DHCP being ingnored on Vlan
Replies: 8
Views: 611

Re: DNS setting via DHCP being ingnored on Vlan

Post an export of your config and we can have a look at it - everything else will be guessing.
-Chris
by cdiedrich
Wed Jul 31, 2019 2:00 pm
Forum: Beginner Basics
Topic: 2 ISP + L2TP/IPsec
Replies: 2
Views: 350

Re: 2 ISP + L2TP/IPsec

I guess you add routing marks for this PC, correct? You'll need to add a route to this PC with its new routing mark to work. like: /ip route add dst-address=192.168.88.22 gateway=bridge routing-mark=myWan2-mark Edit: And probably (if even not more likely) a route to the vpn client with that routing ...
by cdiedrich
Wed Jul 31, 2019 1:30 pm
Forum: Useful user articles
Topic: Force OpenDNS and Safe Search on a vlan only
Replies: 1
Views: 309

Re: Force OpenDNS and Safe Search on a vlan only

You should be good to set src-address in your dst-nat rules matching the subnet of your specific vlan.
If you have more address spaces to cover, you might be better off with an address list.

And I think your post is better placed in General.

-Chris
by cdiedrich
Wed Jul 31, 2019 1:04 pm
Forum: Scripting
Topic: Email-script if a certain DSTNAT is used
Replies: 1
Views: 271

Re: Email-script if a certain DSTNAT is used

You might get lucky with this log parser script.
If you have more than a handful of equipment, it might be worth considering collecting all logs centrally. We're running Graylog to collect the logs from ~200 devices and setting up alerts in Graylog is really easy.

-Chris
by cdiedrich
Wed Jul 31, 2019 8:36 am
Forum: General
Topic: DHCP Server assign IPs to MACs 00:00:00:00:00:00
Replies: 6
Views: 474

Re: DHCP Server assign IPs to MACs 00:00:00:00:00:00

...assigned by UniFi APs? So you have multiple dhcp servers in a single network?
First step is to disable those dhcp servers.
Second step is to check whether there's one or more devices with proxy-arp configured in your network. I could bet your lan-facing interface has proxy-arp enabled.
-Chris
by cdiedrich
Wed Jul 31, 2019 8:13 am
Forum: General
Topic: MAC Address limitation
Replies: 7
Views: 727

Re: MAC Address limitation

The definitely best solution is dot1x as @sebastia mentioned. When your switches support it as well you're close to 100% secure.
-Chris
by cdiedrich
Mon Jul 29, 2019 5:49 pm
Forum: Scripting
Topic: DuckDNS Update Script (free DynDNS alternative)
Replies: 16
Views: 12197

Re: DuckDNS Update Script (free DynDNS alternative)

It pretty much looks like a private address - 172.22/16 is within 172.16/12 which is a private range.
And since the initial script is pulling the address from the interface, I'm sure you have a private address and your ISP is NATing your address.
-Chris
by cdiedrich
Mon Jul 29, 2019 5:14 pm
Forum: Scripting
Topic: DuckDNS Update Script (free DynDNS alternative)
Replies: 16
Views: 12197

Re: DuckDNS Update Script (free DynDNS alternative)

Hi - when I try to use this, it appears that there is another private address between the my Mikrotik router and the internet. So it returns a private address. Any other way I can do this? You could get your Ip this way: /tool fetch mode=http http-method=get url=http://icanhazip.com/ dst-path=myip....
by cdiedrich
Mon Jul 29, 2019 4:03 pm
Forum: General
Topic: MAC Address limitation
Replies: 7
Views: 727

Re: MAC Address limitation

I'd like to add the option of only using static dhcp leases with "add arp for lease" option and setting the arp mode of the lan-facing interface to reply-only.
That at least blocks rogue clients from accessing the internet.
-Chris
by cdiedrich
Mon Jul 29, 2019 10:46 am
Forum: The Dude
Topic: Multiple Vlan monitoring
Replies: 6
Views: 747

Re: Multiple Vlan monitoring

I get your points and understand your problems - i am in the events industry as well and know the woes with guest productions sharing consoles :-) A possible solution could be HotSpot with IP-binding aka one-to-one-NAT aka "Universal client" - you can translate literally any IP address to a valid ad...
by cdiedrich
Fri Jul 26, 2019 12:21 pm
Forum: Scripting
Topic: Built in function library
Replies: 50
Views: 11329

Re: Built in function library

I'd love to see the terminal object-oriented.
Please stop the off-topic messages, and please delete them if they are yours.
(I will delete this when that happens)
After re-reading my post I have to fully agree. Edited.
Thanks,
-Chris
by cdiedrich
Fri Jul 26, 2019 11:46 am
Forum: General
Topic: Load balancing over dual L2 backhaul fibre
Replies: 4
Views: 239

Re: Load balancing over dual L2 backhaul fibre

Perfect.
So a bonding with balance-rr should absolutely do the trick.
-Chris
by cdiedrich
Fri Jul 26, 2019 11:03 am
Forum: General
Topic: Load balancing over dual L2 backhaul fibre
Replies: 4
Views: 239

Re: Load balancing over dual L2 backhaul fibre

What device is the other end of that link?
Is it a switch? Or another MikroTik router?

You should be absolutely fine with bonding and balance-rr. Unfortunately, the fewest switches do this as well. And be aware that balance-rr can cause a lot of out-of-order packets.

-Chris
by cdiedrich
Thu Jul 25, 2019 5:58 pm
Forum: Scripting
Topic: Built in function library
Replies: 50
Views: 11329

Re: Built in function library

[removed b/c off-topic]
Additionally to all the mentioned functions, I'd consider a basic set of IP calculations very helpful.

-Chris
by cdiedrich
Thu Jul 25, 2019 12:58 pm
Forum: Scripting
Topic: Notification for new DHCP leases [SOLVED]
Replies: 2
Views: 275

Re: Notification for new DHCP leases [SOLVED]

Sure.
Take a look at "lease-script" in the dhcp-server manual.
Add your matchers against the leaseActIP variable and then trigger an email.

-Chris
by cdiedrich
Tue Jul 23, 2019 5:13 pm
Forum: General
Topic: RSTP, when on lose ability to connect by IP to non root switch
Replies: 5
Views: 522

Re: RSTP, when on lose ability to connect by IP to non root switch

Nope, a root bridge can't have a backup port. It's on the other bridges to turn ports into backup. I guess the 60GHz link is MikroTik? What is the 24GHz link? Is it an AirFiber? Is WDS enabled on it? Is any STP-flavor definitely disabled on the w/l links? I had some similar issues a while ago when S...
by cdiedrich
Tue Jul 23, 2019 2:33 pm
Forum: The Dude
Topic: Multiple Vlan monitoring
Replies: 6
Views: 747

Re: Multiple Vlan monitoring

You could run a discovery for the given subnets.
But that is a one-time run, either you repeat it every now and then or look for some other solution (NetXMS could deliver what you're looking for as it constantly scans the newtorks).
-Chris
by cdiedrich
Tue Jul 23, 2019 11:55 am
Forum: Wireless Networking
Topic: How to make a CAPsMAN redundant?
Replies: 1
Views: 289

Re: How to make a CAPsMAN redundant?

If the bridges are replicable on the other router is solely your realm. If so, it's absolutely possible to add a redundant CAPsMAN. Make the two a vrrp cluster and clone the CAPsMAN config over to the other. Make your APs connect to the vrid. Make sure you disable all L2 connectivity for APs and man...
by cdiedrich
Mon Jul 22, 2019 3:38 pm
Forum: General
Topic: Allow trafic from one LAN to another but not the reverse [SOLVED]
Replies: 3
Views: 298

Re: Allow trafic from one LAN to another but not the reverse [SOLVED]

/ip firewall filter add action=accept chain=forward dst-address=172.16.11.0/24 src-address=172.16.10.0/24 add action=accept chain=forward connection-state=established,related dst-address=172.16.10.0/24 src-address=172.16.11.0/24 add action=drop chain=forward connection-state=invalid,new dst-address...
by cdiedrich
Mon Jul 22, 2019 10:46 am
Forum: General
Topic: 19" POE panel with LAN control
Replies: 1
Views: 247

Re: 19" POE panel with LAN control

I was looking into the same challenge recently. There's the Phihong POE370U which offers a network interface for managemengt (web interface) and snmp monitoring.
But looking at the pricing, a decent PoE switch might come in cheaper.

-Chris
by cdiedrich
Mon Jul 22, 2019 10:30 am
Forum: Beginner Basics
Topic: Use eth1, eth2 and WiFi in same network...
Replies: 1
Views: 214

Re: Use eth1, eth2 and WiFi in same network...

Remove all firewall rules in filter and nat sections.
Remove dhcp-client from ether1.
Add ether1 to bridge-local.
Remove ether1 from Interface-list "WAN".
Add ether1 to interface-list "LAN".
Done.

Then you still have a dhcp server running on your device. Disable it if not needed.

-Chris
by cdiedrich
Sat Jul 20, 2019 10:34 am
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 991

Re: RB450Gx4 and hAPac spanning tree problem

As you can see, we don‘t get any further.
Now is the point to post both your full configs.
/export compact hide-sensitive 
-Chris
by cdiedrich
Fri Jul 19, 2019 1:10 pm
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 991

Re: RB450Gx4 and hAPac spanning tree problem

This is not a full config export.
And are you sue about always-strip?
by cdiedrich
Thu Jul 18, 2019 3:43 pm
Forum: Forwarding Protocols
Topic: Can't establish LDP session between two Mikrotik routers
Replies: 7
Views: 601

Re: Can't establish LDP session between two Mikrotik routers

But if I remove an interface from the bridge, I loose connectivity to that interface. This is why I always add all interface to the default bridge.
You will have mpls connectivity on this interface.
by cdiedrich
Thu Jul 18, 2019 3:33 pm
Forum: Forwarding Protocols
Topic: Can't establish LDP session between two Mikrotik routers
Replies: 7
Views: 601

Re: Can't establish LDP session between two Mikrotik routers

LDP interface configuration is invalid. Are those interfaces slaves? if yes then you need to add master. Yes, they are all slaves. I run version 6.42.11 and 6.43.9. All my interface all linked to the default bridge: /interface bridge port add bridge=bridge comment=defconf interface=ether2 So you an...
by cdiedrich
Thu Jul 18, 2019 12:57 pm
Forum: General
Topic: configure multiple public IP address on DVR
Replies: 1
Views: 226

Re: configure multiple public IP address on DVR

Add the addresses to your wan-interface. Give the DVR an internal adddress. Then create dst-nat rules with the specific IP as dst-address, netmap as action and the DVR as to-address. (probably better to just dst-nat protocols and ports really needed for the DVR) It might be wise to create a dedicate...
by cdiedrich
Thu Jul 18, 2019 12:55 pm
Forum: General
Topic: encrypted password for mikrotik config
Replies: 19
Views: 4171

Re: encrypted password for mikrotik config

and not to mention to have the user database in an export.
by cdiedrich
Wed Jul 17, 2019 5:05 pm
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 991

Re: RB450Gx4 and hAPac spanning tree problem

So as said twice now, post your configs and we can get a grasp of what's going on.
-Chris
by cdiedrich
Wed Jul 17, 2019 3:47 pm
Forum: Beginner Basics
Topic: My NAT forwarding is working, but I don't know how!
Replies: 2
Views: 253

Re: My NAT forwarding is working, but I don't know how!

dst-address is meant to be the WAN address of your router the server is located behind. I assume the 93. address is the remote location, correct? specifying a src-address surely adds some layer of security b/c the dst-nat will only happen when the connection is originated from this particular addres...
by cdiedrich
Wed Jul 17, 2019 1:54 pm
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 991

Re: RB450Gx4 and hAPac spanning tree problem

As Anav said, we're fishing in the dark without actually seeing your configs.
I could imagine two more scenarios:

Is it possible that the PVIDs differ between the devices?
Can there be an additional link between them through an access port?

-Chris
by cdiedrich
Tue Jul 16, 2019 5:31 pm
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1495

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

I bet it's your hardware. the 951 is MipsBE and this is far from ideal for encrypting IPsec traffic. You might want to try a 750Gr3, 3011, 4011 or CCR series - these offer hardware acceleration. I personally run a 750Gr3 in my remote office which talks to our main office (CCR1036) through IPsec and ...
by cdiedrich
Tue Jul 16, 2019 5:17 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 1079

Re: Multicast to PPP clients

That is an excellent point!
-Chris
by cdiedrich
Tue Jul 16, 2019 5:10 pm
Forum: General
Topic: Why Mikrotik ???
Replies: 32
Views: 5738

Re: Why Mikrotik ???

(c) Do Mikrotik have any limitations? That truly is difficult to answer. I'm managing about 5000 individual devices (covering routers, switches, wireless devices and more from MikroTik, Fortinet, Cisco, Juniper, SilverPeak, PepLink, UBNT and many more) in any given year and I'd say that about 90% o...
by cdiedrich
Sun Jul 14, 2019 12:44 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 1079

Re: Multicast to PPP clients

Try adding a static route to your DG as follows:
224.0.1.1 via 172.16.4.17

-Chris
  • 1
  • 2
  • 3
  • 4
  • 5
  • 18