MikroTik

msatter

. . Also for those too lazy to read where to get the new winbox.exe here you go: https://www.mikrotik.com/download/share/winbox.exe that link was not in the update text of the package manager, but was in the post about the latest release. 8) Is now mentioned at the top of the posting. The original ...

msatter

.
.
We are also working on a blog.

That is excellent news and will make information easier accessible and questions/discussion can be done in the forum linked to from the blog.

msatter

When I add an address to an address list in the rules lines I can set instead of a expiration time for that specific entry. This can be done by setting a time-out time or none dynamic or none static. I wanted to do this also in the terminal but those two options beside the time are not available. I ...

msatter

*) backup - do not encrypt backup file unless password is provided;

I will wait till the next release because of the possible pitfalls when having to clear the configuration.

msatter

viewtopic.php?p=648228

msatter

How about RM(rackmount) version of Hex?

You could use a tray and put a few of those little rascals side by side.

msatter

I use the content filter in RAW to drop the direct IP traffic. You have to disable fast tracking for that direction or only engage fast tracking after 1100bytes. It was in a recent MUM presentation if I remember that correctly. This is for a known IP and if you want to filter all direct IP address o...

msatter

PDF about the RB760igs:

https://www.ip-sa.com.pl/doc/datasheet/hEX_S.pdf

Nice replacement for the RB750Gr3 and I could connect the router directly the glass fiber and do away with the NTU.

Power usage went up from 5 watt yo 11 watt and the PoE OUT is a nice bonus.

msatter

See: viewtopic.php?f=3&t=134215

msatter

When you enter terminal press TAb twice and curse, it is already implemented. I don't like it because I have to close the terminal window and reopen it type the commands in full and press TAB once to complete or some help which options are available.

msatter

I had good hope my ticket (Ticket#2018042122002234) would be resolved in this version but it is not. Setting Neighbors to !Dynamic still pokes my Dail-on-Demand connection and won't let it go to sleep when the time-out is there. When I look in interfaces - interface lists I don't see any content in ...

msatter

I was wrong on that and I am confused on my thoughts that it was possible. I really remember seeing and even check if i could set connection tracking which was not posible. I have a backup from a config that was no working correct and I went back then several days to restart from base again. As I sh...

msatter

Cisco sucks in making tablets.

msatter

Make visible/controllable in RouterOS if the ports are in switch mode or in CPU mode.

msatter

If you add the source then it could be working for several tv/set-topbox/tablet/phone independent but I don't think that will be doable. Using destination you can control access to the destination the IPTV is transmitted from, this if it is one source. Update: have made an first setup and 10.20.20.0...

msatter

If you can identify the traffic by IP or port then you could use two addresslist. The first set the IP to be blocked for 24 hours. The second one allows for three hours. On set: Put IP destination address in three hour list if not in the 24 hour list Put IP destination address in in 24 hour list if ...

msatter

I would this the other way around. This if you know only the bad servers. /ip firewall raw add action=accept ! <match bad traffic> add action=drop <match bad traffic> If you want to use marking in mangle so it will not be blocked (VoIP related) /ip mangle add pre-routing rule mark-connection-type ma...

msatter

I have the opposite problem that traffic destined for the VPN is wanting to get out through the ISP (pppoe-out-1). In my routing table all the VPN connections and the ISP have as distance "1". When I set the ISP distance to 2 and the VPN stays 1 then my VPN connections don't start any more. I don't ...

msatter

You should receive a support number by mail. Support is catching up and the 1st of May was probably a free day for them.

msatter

Pleased to read that the DNS/DHCP worked and now you have the same workings as in the fritz.box. DNS is really great to use and I love the Round Robin function when having multiple IP addresses on one domain name. Tagging/untagging on the switch port is fine. Default, subnets can't see each other un...

msatter

The fritz.box, which you are using for VOIP has no option to set VLAN. DNS knows only IP no VLAN, so you use the IP. If your domain is only internal then I suggest that you use .local instead of .de because .de is kept in the DNS on the Internet. VLAN is separating the networks and subnets also do t...

msatter

Yet another DHCP to DNS script That is great and that is for later. AVM automates a lot so basic knowledge is not transfered. Christiaan please take care that your DNS is not open to requests from the internet. Note: If allow-remote-requests is used make sure that you limit access to your server ov...

msatter

The Mikrotik has no build-in DNS server but is very flexible in the DNS functions. Going back to your client IP. You request this from the DHCP sever and mostly the IP is the same and if not you can make that IP static. Open line - copy - - eneter wished IP - remove original - save copy Now you can ...

msatter

The Fritz.box did that for you. You have to put the adress and domain name in the static DNS and if the match the client request the IP will be returned. For existing domain names not matching the static DNS will be requested on the Internet once connected. The DNS provide by your ISP is called peer...

msatter

DNS is just like a phonebook. You have to make clear for yourself if you have the correct phonebook and where it lays and who can look into it. As soon you use .de your DNS will look outside the router on the Internet. You are looking in a phonebook that is not in the fritz.box RouterOS has an stati...

msatter

Have a look if you AVM fritzbox can be set to be a bridge so it only takes care of your internet connection.

msatter

I have restarted the router and then it worked again with a netmask. I have restarted a few times the last two days and I had that problem also befrore an other restart.

Next time I will try your suggestion. I have also sent this to support so they can look if there is a gremlin in there.

msatter

I encountered a really strange problem with the address-lists. I had some trouble entering ip addresses with netmask in the past and the message was it was not a domain. I worked around it by first entering it without an netmask and add the netmask later. This occurs sometimes and I believe also in ...

msatter

Your router board will still work with a not up to date firmware. You might miss improvement's.

Sometimes

One point of failure makes life easier. If you update two more points at the same time you won't know which is causing or interacting is the problem.

msatter

I wrote above: "ACCEPT specific match (does not return where the jump started and goes to MASQ/NAT/FILTER page)" however after some more expediences it appears to be: ACCEPT specific match (does not return where the jump started and goes NOT to MASQ/NAT/FILTER page) Am I correct with this last exper...

msatter

The trainer focussed on the term fasttrack which was not the question. I have not a big problem with it and he was unsure about his answer as you can read.

msatter

A connection can't have different states at the same time so it is match any.

msatter

You can't block that. There was a recent discussing about that. There are postings in front and after it:

viewtopic.php?f=21&t=133533&hilit=Neigh ... 00#p656739

msatter

And I'm sorry for incorrect sequence: chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of your Hex" chain=input action=drop src-address-list=Port_Scanner chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w Not.....

msatter

Thanks Sindy it works great.

msatter

In RouterOS you can have a certain amount of luck or randomness ...

So did you try script3 with the line I suggested? It is not stored locally but you have to define it in a different script.

If it does not work then state the policies for that script.

msatter

When you are using in an other script then written to the global variable you have put into the other script at start :global backupfile; .

msatter

I want do add an address to an address-list and I have some trouble getting the address. Because the normal way does not want to return the address and it seems to need the .id :put [find protocol=ipsec-esp]; *2306;*230d;*230e;*23b2 This is my try: :local ip [get [find where protocol=ipsec-esp] valu...

msatter

:D :D Maybe it is because I did programming long ago in assembler, where JUMP typically means "go to a different address in the program" and CALL means "save the current address on the stack, go to a different address, run the program there until you hit a RETURN instruction, which means get the ad...

msatter

I made some converters running in Linux which download the lists and convert them to a import RSC file. I use Spamhaus as source. I have now about 50.000 addresses in list. Best you can filter in RAW and you have take care to keep non-fasttrack traffic away from the filters and filter those separate...

msatter

You can check /System Scripts Environment after a run how the name of the variable is, at-least if it is a global variable.

msatter

I read in a discussion on an other website about the last vulnerability (April 2018) that Winbox was downloadable straight from the router? It should be then in side the firmware or side loaded into the router.

I am not that long, a owner of Mikrotik equipment so my memory is limited in this.

msatter

Thanks pe1chl that was the solution to my problem to have an extra RETRUN needed to stop UDP traffic travelling on. The traffic that was the most prominent was port 20561 so when I was using winbox in MAC config. ;-) This still leaves the request for adding the Passthrough checkbox active because it...

msatter

JumpReturn.jpg add action=jump chain=prerouting jump-target=UDP-target protocol=udp add action=return chain=prerouting log-prefix=UDP-target protocol=udp . . add action=accept chain=UDP-target comment=WireShark/Winpap disabled=yes dst-address=192.168.88.99 dst-port=37008 protocol=udp . . add action...

msatter

I used today Action Jump to a Chain. I had to put an second Return just beneath the Jump line to not process also the rest of the lines, when the custom Chain was filtered. Feature request is like as in Connection Marking an Router Marking, to add a box in Action to stop processing of the rest of th...

msatter

Use a short period of one minute timeout to connect after knocking. Keep te connection by using established.

This way any parallel hackers on the same source IP have less than a minute to do harm.

After you disconnect established is over and you have to nock again to get in.

msatter

I checked this on all our routers upgraded to 6.42 or 6.41 ... And In ROS 6.41 and 6.42 Mikrotik Neighbor Discovery protocol outgoing traffic is actually allowed to bypass firewall altogether and cannot be caught in any chain, not something that any process should be IMHO ... And for me this is act...

msatter

Thanks for the nice port-knocking program.

msatter

You are writing to flash memory (Disk) so keep logging to a minimum and lines that are not essential write those to memory.

msatter

I'm glad to see this got fixed so soon! Many thanks to the team who works on this (and lost a lot of sleep probably)! I reacted earlier to your post to include also the users of Mikrotik devices. I agree that Mikrotik worked fast and were communicative about the vulnerability. The final solution fo...

Search found 715 matches