MikroTik

msatter

Something like this: https://m.youtube.com/watch?v=mk7VWcuVOf0

msatter

Jotne created a loop in the thread by linking back to the same thread.

msatter

Way out: viewtopic.php?f=2&t=161644

msatter

I found that diagram always a bit strange. It states "integrated switch chip" integrated in the CPU? The the diagram is then not logical. That is why I prefer the other diagrams. If you reach 500Mbit/s then fasttracking is working or you would be around 250Mbit/s. Look for way to optimize your rules...

msatter

I don't put the port used as WAN in the bridge. PPPoE plus VLAN around 900 Mbit/s on upload speedtest.net. Port 1, 3, 5 sits on one lane and 2, 4 on the other. https://i.mt.lv/cdn/rb_files/RB760iGS-dsw-180517144423.png The little one hEX https://i.mt.lv/cdn/rb_files/RB750Gr3-dsw-161125140316.png

msatter

Pleased to see how it works and I see that routing is used to project the public IP, on the port of the Mikrotik. The Moviestar is 'switch' removed, so that one is out of the picture. This is used where you can't put the router in bridge mode. Going to test it for myself and can used it in those sit...

msatter

Nostromog put in and the VLAN seems already to be removed by the Teldat so the the Internet + VOIP is terminated there. All behind that is then local. I only see this now and so a PPPoE on you Mikrotik is futile unless the Teldat is bridged. I don't even know what the Teldat is but I could be someth...

msatter

I found some interesting behavior that could explain the use of the ":". { :delay 4s /interface :if (([pppoe-client monitor pppoe-ikev2 as-value once]->"mtu") < 1500) do={ disable sfp-sfpplus1 :delay 50ms enable sfp-sfpplus1 :log warning "PPPoE MTU lower than 1500, so the SFP port is restarted"} } O...

msatter

When I plug in a laptop directly to the Movistar' Switch I get the address 192.168.1.X, so it must be in router mode. Your subnet is then 192.168.1.0/24 and your Mikrotik has to use the same subnet to communicate with the Moviestar 'switch". When you changed to the new settings then the DHCP also c...

msatter

And which subnet are you using. Old 192.168.100.x and new 192.168.1.x so you are on the wrong track in the new config when using 192.168.100.10/24

msatter

I give up. The solution is so simple but no one wants to see it.

msatter

Make that src-nat redirecting tcp/udp 53 to the Pi-hole.

dst-nat is traffic coming in and src-nat is going out. Have also look at hairpin in the wiki for traffic returning from the Pi-hole. And that is dst-nat traffic.

msatter

Nope.

Piece of tape will do wonders.

msatter

They are not proud of this but it does exists at least:

https://blog.mikrotik.com/security/

This is the last one who's router was hacked:
viewtopic.php?f=2&t=161521

msatter

Using the SFP, cripples the hEX S and it will get a dedicated lane to CPU. The other 5 ports have to share the other lane. I rather had seen that that ether1 would be disabled when the SFP is used and that both lanes are used by more ports. I have bought a 4011 for more encrypting speed and a dedica...

msatter

To me the old config is over a bridge. add address=192.168.100.10/24 interface=ether1-gateway Is that IP matching the new configuration? Try 192.168.1.10 if it is free and also change the VLAN 6 to 20 and 3 to21. No, that IP is the MikroTik's WAN and I must change it to 217.X.X.X in the new configu...

msatter

And that is not how this forum or any other medium works to post IP addresses in public (personal data).

And for kids there is a special kid control unit available under /ip.

msatter

The FiberStore sells active DAC cables beginning at 36 Pound for a 1 meter cable up to 67 Pound for a 10 meter cable.

If you are also getting Fibre then you could better look at a router with two SFP+ cases like the CCR1009-7G-1C-1S+

msatter

No worries. I am running 6.47RC and nothing has changed there. The Dynamic are still grouped under their own specific template.

msatter

With arrival of 6.47RC it works after a few hick-ups and if it stable on a reboot I won't going to try out yet now it is working.

msatter

@Nostromog look at my posting for the new situation. The router should be in bridge or the device before it. The pppoe + vlan only have to find gateway.

msatter

To me the old config is over a bridge.

add address=192.168.100.10/24 interface=ether1-gateway

Is that IP matching the new configuration?

Try 192.168.1.10 if it is free and also change the VLAN 6 to 20 and 3 to21.

msatter

I can now connect over SFP and get a link up of 1Gbit/s. However like with 6.46.x the PPPoE connection drops back to a MTU of 1480 instead of the usual MTU of 1500 after short time. Back to using the media converter connected to a ether-port. Hoping this can be solve this before release of 6.47 Addi...

msatter

If you look in the status tab you will see that 1000 half is not advertised by the 4011. However it is a test worth to see if also disabling in the settings brings a improvement or a solution.

msatter

The on-error needs to be indeed on that line like it is necessary with else in a if..do..else To check the syntax you can put the code between { } : { :do { :local checkdns [:resolve "my.domain" server=1.2.3.100] /ip dhcp-server network set 0 dns-server=1.2.3.100 } on-error={ /ip dhcp-server network...

msatter

test is a local variable that just is used as a dummy. It could be clearer to use dummy but you are asking to test something so test was clearer here.

The lines are in fact one long line and the work in one go.

msatter

Thwt is not the simplest thing to start with.

Look for on-error and might be the way to archive that.

msatter

You should have put VLAN 20 at the ethernet port connected to the switch and the PPPoE connects to VLAN 20. Is the Teldat/switch in bridge mode then you can use PPPoE and if not you let the stuff from Moviestar do the work.

I assume that VOIP is handled by the Teldat/Moviestar switch itself.

msatter

Beta 6.47beta60 has this and it will trickle down most likely also in the non-beta versions in time. I am eagerly awaiting the next beta but the current hick-ups take longer to solve than expected so before moving to beta look if you can solve that differently. In the beta you can use the CLI to set...

msatter

@sindy Only the routing-mark differs and the destination address is in all four lines the same. Which is not present if run directly from the router as you wrote.

msatter

I am not a routing specialist but with distance and specific WAN you create a problem. The connection with the shortest distance gets priority to transport traffic but then only for WAN3 traffic leaving WAN2+3 to be catched by the last routing rule. Why not only use the routing-mark and set the dist...

msatter

If you want an exact distribution then the use of PCC is not the best. Also think about when you spread traffic, don't define the last line and just mark what is left over. You create then also a catch-all in case one of you earlier lines are not working. I have spent an posting on this and have a l...

msatter

They are sending it now as a stream so it seems not to be closed. Try this in RAW and see if that stops the attacks: psd (integer,time,integer,integer; Default: ) Attempts to detect TCP and UDP scans. Parameters are in following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight W...

msatter

You will have to set the Vodafone router to bridge if that is posdible. Miktotik does not support ADSL/VDSL in any way on it's own.

msatter

No sorry....it is every 2nd time you connect connect rb4011 .... changelog OK ... closing winbox .... connect rb4011 .... changelog NOT OK .... closing winbox .... connect rb4011 .... changelog OK .... and so on What if you enforce it to use only one of the two servers under the domain dowload.mikr...

msatter

New Winbox shows strange changelog in "system -> packages" for stable tree ??!?!?!? The error comes after "clear cache" only on the first device you connect after downloading descriptors. On other devices the changelog is OK. It stays strange only on the first connected device after performing a "c...

msatter

Looks good and no more resizing of the windows on it's own is a big relieve. Running it on a Windows 10 system.

msatter

According to the following Manual:Scripting-examples -- file size limitation has been removed Read and write large files Many users requested ability to work with files. Now you can do it without limitations Create and write to file: :global newContent "new file content\r\nanother line\r\n"; [/lua ...

msatter

O, please stop.

msatter

That is known and lets hope Mikrotik can complete the work they are doing on it today.

viewtopic.php?f=21&t=154662#p793522

msatter

Thanks eworm for the explanation and I have added the :global gArr; line and this can be used directly in a script: :if ([/system script environment find name="gArr"]) do={} else={:global gArr [:toarray ""]; :set ($gArr->"key1") "val2";}; :global gArr; :put $gArr; On a first run it will create the v...

msatter

As soon the interpreter is hitting the "}", $f is forgotten.

But then I have already put up a version that does not need a helping variable.

msatter

@msatter, stop please. Your code can't be correct as you use $f in the initialization... My code is correct, as it runs in RouterOS. $f is local . You don't have always to go through the process of defining it. It not Cobol. ;-) This is a working and also the shortest version: { :if ([/system scrip...

msatter

It is a global variable: { {... :set $f [:len $gArr] {... :if ($f = "true") do={:set $f true} else={:set $f false}; {... :if ($f) do={} else={ {{... :global gArr [:toarray ""] {{... :set ($gArr->"key1") "val1" {{... } {... {... :put [:pick $gArr 0] {... {... } val1 And via de CLI: :put [:pick $gArr ...

msatter

I am not a programmer but this is my solution: { :set $f [:len $gArr] :if ($f = "true") do={:set $f true} else={:set $f false}; :if ($f) do={} else={ :global gArr [:toarray ""] :set ($gArr->"key1") "val1" } :put [:pick $gArr 0] } Nothing is being printed but the value is there "key1=val1".

msatter

You are barking up the wrong tree here.

I had this exact same problem a few weeks ago and I worked around it going with returned string value.

msatter

What's new in 6.46beta44 (2019-Sep-19 05:54):

Changes in this release:

*) capsman - fixed channel auto reselection;
*) chr - added support for Azure guest agent;
*) console - fixed "tobool" conversion;

As you noticed, it is not.

msatter

Most of the time but as soon you enter /system script environment and want see the values then you use print. It is a mix and one part of you line you are in printing area and to print the variable outside that, put is used.

If you can't print by using put try print, is one thing to remind.

msatter

The print is a official command like put is. Print can do other stuff then put and they are used to their specific purpose. Print is print and put is printing using put. Some things are just not straight forward. The variable is returned as a string and tobool will not convert it. You could just com...

msatter

I gave two answers to two questions.

In environment all globals live. If not there then it is not a global.

Why do you need print while you have put and set?

For your script it is known that tobool is broken since a long time.

msatter

You can print in /system script environment.

If :global is not found set it with a value:

$shortname contains the variable name used in environment.

:if ([/system script environment find name=$shortName]) do={} else={[:parse "global $shortName 99"];};

msatter

I made a string of a boolean so change it to:

:local a "true"; --> :local a true;

msatter

On down: /system leds; :local a "true"; :do {set 0 type=off; :delay 2s; set 1 type=on;} while ($a); On up: /system leds set 0 type=on; I have not tested it. and $a is always true and on up the led setting is overwritten. If the blinking does not stop then go to /system scripts environment jobs and k...

msatter

There is no specific command for flashing. You have to write your own script to do this.

msatter

The problem is thst first have to read whole list before you can start reducing.

If Miktotik implement resume download then we could chop up the file in little parts.

msatter

viewtopic.php?f=9&t=75555&p=790674&hilit=epoch#p790676

msatter

Look at the postings above the earlier by me: https://forum.mikrotik.com/viewtopic.php?f=21&t=154662#p793526 The were busy with the server and restored backups or used previous versions and are now at a point it works again. Sadly the Beta60 is not listed but the are on the server. To get the Beta60...

msatter

URL: http://connect.com
Domain: connect.com

Enter only domains in the Domain Name Server (DNS)
www is a sub-domain of www.connect.com and normally the WWW server does this for you.

I hope I did not spoil your day with this.

msatter

I was reading in the Wiki about setting up a CGNAT and thought this could also be used to limit traffic hitting Connection tracking in the routers. When you look at traffic going from clients to the outside you see that that traffic get random high port-numbers and on return that port number and IP ...

msatter

Hoping that this did not slowed down the release of a new 6.47Beta.

msatter

:foreach ID in=[/ip fire nat find comment="NAT 2"] do={:set $lastLine $ID}; print where .id=$lastLine;

msatter

From the WiKi: Every global command should start with ":" token, otherwise it will be treated as variable. How is that working in the new API (ROS-7) and maybe we are in a transfer to that and the Colon is not handled that strict anymore. I also noted that having to usde define :global to have acces...

msatter

Looking at the log I notice that the destination port targeted by different adresses and the only thing you should look at ate the ports. Using IP adresses in any form is futile. If they use 53 and 389 and you have different requests from different IP drop that destination port for a short time. No ...

msatter

In signature you see a link and that topic also contains a script to restart a peer if it went down. It only restarts peers that are enabled and you can rewrite that to enable disabled peers. A meaningful name for the peer is essential or you have to use the comment field as already suggested. This ...

msatter

I have autosupout.rif in the files of my 4011RM and I think is also generated if you reset the router by holding the reset button to reset.

I don't remember what happened then and just received the 4011 and I used once a hard reset.

msatter

Maybe it would good to put a link to your posting in the ip-phone-forum and back so it will be found easier for others in the future.

msatter

Really great that you managed it and you had the right tools to archive this. You made great use of it and please put this also on the IP-Phone-forum so that more can follow you way.

Enjoy your archivement!

msatter

To retrieve the uptime:

/system resource> :put [get uptime];

And in into a variable:

{
:local getUptime [/system resource get uptime]
:put $getUptime
}

msatter

The example functions are :global but it seems that I also can use the :local. { local cleanStringFunc do={ while condition=[find $1 $2] do={ set $1 ("$[pick $1 0 ([find $1 $2]) ]".$3."$[pick $1 ([find $1 $2]+1) ([len $1])]")} return $1 } put [$cleanStringFunc "Can-t-be-used-as-name-for-variable" "-...

msatter

And as an function, my first one :-) { global cleanStringFunc do={ while condition=[find $1 $2] do={ set $1 ("$[pick $1 0 ([find $1 $2]) ]"."$[pick $1 ([find $1 $2]+1) ([len $1])]")} return $1 } put [$cleanStringFunc "Can-t-be-used-as-name-for-variable" "-"] } Notice: because of the { at the beginni...

msatter

{ local a "Can-t-be-used-as-name-for-variable" local b "-" :while condition=[find $a $b] do={ :set $a ("$[:pick $a 0 ([find $a $b]) ]"."$[:pick $a ([find $a $b]+1) ([:len $a])]")} :put "Result string: $a" } Result string ($a): Cantbeusedasnameforvariable The :local variable $b contains the single u...

msatter

Good that you find the cause of not being able to connect to the VPN. You can mark your own post (above) solved.

msatter

Just a quick look by me and you create a list "Port Scanners" and make sure that the source address of Symantec server is not on that list. /ip firewall filter add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=6h chain=input comment="Port Scanners" in-interface-lis...

msatter

If you want to use the result in a other script then you should use :global, as ChaOs suggested.

msatter

I got an answer from Mikrotik support that is fixed in a next version(s) of RouterOS. Now I have changed the setup of the different devices so that I don't have to take half of them of the wall to just put an other device on the fiber connector. I had extra fiber cables and adapters for and made the...

msatter

:set $result [:resolve mt.lv]; :put $result

msatter

From the outside they are closed. That is how a statefull firewall works you can only open a window in the firewall from the inside.

Check if port 500 and 4500 UDP (ipsec) are allowed to open such a window.

msatter

I assume that it are TCP connections that have a time-out of 1 day in the connections table. When you remove the exiting connection there then a new connection has to be made but that will not happen because that is disabled then. Removing is very easy because you know the port. You csn use a schedu...

msatter

I don't assume that many here are willing to help you with this. Spying on your users is not nice to be doing.

msatter

I use a small piece of gray tape. No sunglasses needed anymore.

msatter

I noticed that you already found the IP-Phone-Forum which is the place to go when having a AVM device.

It look like you have to get a GPON that is changeable without having it to be flashed by a programmer. In the Spain thread a lot is talked about those.

msatter

For all DoT lovers out there, I'm bringing fresh official bad news. Received yesterday, directly from MT support:
Unfortunately, DoT is not planned to be implemented in the near future.

msatter

On the moment the VRRP switches you have script on event available. One script for each router and one script for both configs on either router .

msatter

You can think of a double VRRP. It called load sharing.

https://wiki.mikrotik.com/wiki/Manual:VRRP-examples

The IP becomes active when the other one fails. You have then a virtual between the routers and both have access to the upstream switch.

msatter

Darn it was in front of me and try ssh to IP: 192.168.47.1 as you found with the help of Wireshark. First do a IP Scan to see if it lives as that IP.

msatter

Spain: viewtopic.php?f=3&t=116364&p=789506&hilit=spain#p762916

It is not the solution but a start for you.

msatter

Update: I tested with an eye on the load on the processor and NoTrack is ideal for ipsec (protocol 50) and the tunnel (UDP/4500) can be fastracked and that is the fasted method for that. I can even hide fasttracked untracked traffic but I did not see a advantage in that. I is still strange to me, to...

msatter

I have adapted my "way of handling symbols" so you can untwist your eyes again see straight as an arrow. ;-) That the FTTH POP is wideband I expected and the forums never agree on which to use 1490nm or 1550nm, it works both. I have to order the Tx1550/Rx1310nm SFP and some armored cabling so I will...

msatter

I have looked up the information on the NTU that is being used and that is a Genexis MC901. It can do both speeds 100Mbit and 1000Mbit fiber. The frequency used is Tx 1310 Rx 1490/1550nm and the dBm is Tx -9 -3 and Rx -3 -23. There are 1G SFP Wideband BiDi LX that have a wider bandwidth 1460-1580nm ...

msatter

If you search for the word "spain" here you will find a lot postings about gpon andaccess.

msatter

DNS is only tiny bits of information so not much to gain by fasttracking it. Why should it be a DDoS. It are responses to your resolve requests and so statefull. Fasttrack should inspect the first package and time to time also packages in the stream. DNS exists in one or two packets returning so Fas...

msatter

So.......tested it and it is not the SFP but RouterOS. The latest beta does not enforce 1GB if you set it manually instead of Auto-negotiated. I have not tried previous beta's and rather wait till Mikrotik fixed this problem. I tried 6.46.6 and that got a connection but the MTU started at 1500 on th...

msatter

I have my 4011 just 25 hours and is really a fast router but also it's edges. IKEv2 is at 800Mhz just a bit faster then two hEX-S in series. On 1400Mhz I ran out of ISP bandwith, just to browse. ;-) I call the 4011 my 'little stove' because it such a darn hot router...and looks like that also. Got a...

msatter

Oops, did not thought that trough. Next time I order I will also get the other ones.

Thanks for the hint. Saves a bit of work and frustration followed by deep shame.

msatter

I will check that tomorrow because I have already placed back the NTU on the fiber to have Internet. I also going to try a direct link between the hEX-s and the 4011 to see if that works. Got plenty of modules and a fiber cable for that.

msatter

I have a internet fiber connection and am using FS GE-BX (#20140) modules 10 and 20 km. Worked perfectly in the hEX-s but not in the 4011. I get all the normal information in the SFP screen and a link OK. When running Torch I see my PPPoE-discovery being transmitted but there seems to be no answer. ...

msatter

Not sure why its not working, but since you already have the ID of the line to delete, just use the ID like this: Very nice. Running this will show the *id of each found entry so you known how it looks. Every line and entry in RouterOS have a unique *id number. You can use that *id directly. { :for...

msatter

unknown-multicast-flood (yes | no; Default: yes) When enabled, bridge floods unknown multicast traffic to all bridge egress ports. When disabled, drops unknown multicast traffic on egress ports. Multicast addresses that are in /interface bridge mdb are considered as learned multicasts and therefore ...

msatter

When you want to use Netlfix then you have to connect in a other way. They have dedicated servers for that and the ones used in the Mikrotik is for general use. The best you can ask the helpdesk and in your case Surfshark if it possible do it over IKEv2 and not over OpenVPN? https://support.surfshar...

msatter

Thanks mkx and I also gained some new insights. Looking in the wiki I found this in the bridge page: /interface bridge port set [f] horizon=1 And first thought the "f" stood for false but doing a bit of scripting in RouterOS saw that that it standing for find. It would be so nice that the manual wou...

msatter

Unclassified is on my MMIPS very quit and almost always zero. The ARM processor devices show often unclassified being maxed out when they reboot/crash.

msatter

Hello, i would like to extend this topic further, i have similar situation where lots of connections are established toward my client with 0/0 orig rate and bytes. I see that these connections are established backward only when client established connection to some https server. How i can filter su...

msatter

You are not in the same situation because this topic goes about not being to see the preview in this forum due to problems of ICMP 3/4 packets not being return to the client by the router. Please open a own topic on this. Update: I had quick look and is your DNS resolving? You can test that quickly ...

msatter

Looking for a long time at the 4011 and I afraid that it will stay with looking at and not buying.

msatter

I think the following wiki page needs an update as well: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow#Configurable_Facilities The said raw table from https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw is missing there in the list under "Configurable Facilities". The Wiki is not a full manua...

msatter

Untrack gives about a 30% increase in speed and is used for example in IPSEC that does not need connection tracking to function. With the introduction (rules before connection tracking) this became posible. I do most of my filtering in RAW but it has it limation because it has not trigger on invalid...

msatter

Fasttrack could have some more love and attention in the Wiki. The example shown are showing the dummy rules counting the fasttracked traffic. Showing you if you fastrack rule is working. Fasttrack forwarded traffic should be done before accept rule or you won't the dummy counters increase. If you o...

msatter

Thanks again Sindy. :D I found now the perpetrator and as it was indeed because of doing double NAT. When having to use double NAT I have to enable Nat traversal in IPSEC Profiles. This not being enabled, I got two separate streams on the GW from coming the inner. I was already asking myself why the...

msatter

It does not need a public address as the GW is providing that. It enters the GW router and looks for the address of the VPN provider not finding it there. Then it takes the door out and the internal source addres is replaced by the GW public address in NAT......darn then it could be is double natted...

msatter

Both router are doing IKEv2 on it's own. On the inner router traffic is divided by PCC and connection-marked to the inner IKEv2 or to the GW router. In NAT the traffic marked, for the GW is source natted to to the GW router. There it is handled by the GW IKEv2 en/de-crypter. Two streams are present ...

msatter

I am using two routers in series and IPSEC traffic going through the second router which generated by the first router. That traffic puts a high load on the second router (GW). It won't be accelerated and I can put plus 500 M/bit/s through it and it will hardly break out a sweat (fastrack) but 170 M...

msatter

Test it and this seems to be the same:

TCPflags.JPG

msatter

Here is also a manual/topic about this:

viewtopic.php?f=23&t=157048

msatter

OK, have fun. It's enabled.

Having fun here. Never seen PM enabled.

It makes life a lot easier and spam....lets see if we can handle that.

THANKS!!!

msatter

I keep resizing the windows in Winbox 3.23 64 on Windows 10 64. More than half of the time I am resizing windows to a smaller size instead of working in Winbox on the settings. It really a PITA this way. Update: I was working on three routers using the same profile and I am now trying to have for ea...

msatter

When already natted traffic goes an other time through a NAT.

https://medium.com/@gmanual/double-nat- ... 41b6c651bd
https://www.pcworld.com/article/3175739 ... blems.html

msatter

I am hiding the tunnels (UDP 4500) created by the IKEv2 and the ESP (protocol 50) this way in connections. In the upstream router I can't hide those anymore because there is no IPSEC handling active for those connections. On the upstream I do the the same for the IKEv2 connections that are handled b...

msatter

It works for me and the difference is that I use for the second line output and not prerouting and I put those in manually. 1 ;;; IKEv2 from GW-router in and out. Make them invisible in connections and using so less processor time. chain=prerouting action=notrack src-address-list=NoTrackIKEV 2 chain...

msatter

Yes! Mikrotik, you made my day! One thing, though: Looks like DNS forwarding does not work if DoH configuration is active. I think the forwarding should have priority over DoH. That is a chicken and egg problem. Lets say you need to resolve the DoH for google. add name=dns.google ns=8.8.8.8 type=NS...

msatter

Thanks Sindy and I have tried it but not traffic was seen on that GRE interface. Despite the traffic is routing marked it, it did not appear. The only way is to use dst-nat and then the traffic is seen with torch and then I can blacklist it in route then. Works great. This is ideal when the IKEv2 is...

msatter

Here I got a fact: the mikrotik tutoril for surfshark states peer-->address-->exchange-mode=main, in the tutorial you gae the link it's exchange-mode=ike2 The rest is exaktly the same. So I changed in exchange-mode=ike2 and ... it accepted the identity setting!!! Can it have been the problem? I che...

msatter

creation-time~"apr"

change it to

creation-time~"mar"

msatter

Bo I don't understand what do you mean in creating a new identity? I used also this certificate but nothing changes. It is that RouterOs doesn stuck with eap - CHAPv2 ... So nobody has a VPN from surfshark or NordVPN runnig? I am stuck when creating a new identity. You however create a new connecti...

msatter

I can't help you on this because I am death in the water when adding a indentity here. Wrong mode-config..did I chose a wrong mode config or the mode config is wrong. God only knows why. So the certificate is a Sectigo one according to crt.sh: 2337282437 2020-01-15 2020-01-15 2021-01-14 *.prod.surfs...

msatter

Uh, google does a redirect there... So use this: /ip dns static add address=8.8.8.8 name=dns.google /ip dns static add address=8.8.4.4 name=dns.google /ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes Maybe this can be combined to a bootstrap IP. Also adding the direct IP ...

msatter

If you use an other router/modem in front of this router have them route traffic to you and not have them use src-nat of have them use dst-nat.

msatter

For Google you still a first resolve through a normal DNS or it will not know how to reach the DOH of Google. Cloudflare used a trick to by putting 1.1.1.1 as alternative name in their certificate.

msatter

I am revisiting this tread again while busy to create a Kill-Switch for IKEv2. Till now I blackholed traffic by using a src-nat to 127.0.0.1 and noticed a few day ago that the traffic was reaching the next router in my network. I put a rule in that router in RAW to drop any traffic coming from 127.0...

msatter

I have been trying a few times but I can't get it working. I have a local network in the 192.168.1/0/24 range. I have now two routers behind each other and that works. Now I want to put a third router in between to accelerate IKEv2 as I do with the two routers. Router 1 has the local network attache...

msatter

openssl s_client -connect us-dal.prod.surfshark.com:443 CONNECTED(00000005) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo...

msatter

IKEv2cert.JPG

As I wrote the manual by Surfshark is wrong on this. You should make the box empty (click the top triangle) and the certificate they provided should be found then.

msatter

Routing mark main will always be there because that is the same as not routing marked.

There are parts of the config that are not exported, like users.

msatter

You don't point to the cetificate. The cerificate should be present in the certificate store on your router to be found. Their manual is wrong on that point.I have not check the rest of their manual. https://support.surfshark.com/hc/article_attachments/360010703300/addidentity17.png https://support....

msatter

Send a e-mail to support@mikrotik.com so they can correct it a next release.

msatter

I use the provided config by Mikrotik in the Wiki and I use connection-marking to selrct the traffic I want have handled by the VPN. Fasttracking and IPSEC is a no-no. The policy has to be at the top in /ip ipsec policy table and the NordVPN lines underneath. To be sure the order is correct you coul...

msatter

When I temember it well you use the DoH client in RouterOS to connect to Cloudflare. This DNS DoH traffic is not passing through the VPN because only your client IP 192.168.0.5 is using only the VPN. The shortest way for now is to use the dynamic DNS server of NordVPN and disable DoH. This if you do...

msatter

That is what you are told and as all things in life that does not have to reflect reality.

msatter

I just noticed the the new docs is not updated on this.

https://help.mikrotik.com/docs/display/ ... ion-Health

msatter

By helppage you mean the Manual inside Winbox. That is displaying the Wiki and states:

RB760iGS (hEX S) Turns off Power LED and SFP LED

On the RB760iGS you can only control the Power and SFP LED.

msatter

The wiki page is correct and Becs corrected it from all to only the Power LED and SFP leds.

https://wiki.mikrotik.com/index.php?tit ... ldid=33661

msatter

Then add the ICMP in /ip pisec policy underneath the default *T (template) line and then start your NordVPN connection. Not underneath, above !!! The ICMP packets from Mikrotik itself to the LAN hosts must hit the action=drop policy before hitting the dynamically created one!! I wrote underneath th...

msatter

You are using DOH and there also dynamic DNS servers from NordVPN active try it with DOH deactivated. Should not make a difference but better one captain on the ship. Let me know if you find somthing and else just remove the current config and leave the defaults (also active) and do a new IPSEC Nord...

msatter

Thanks Cindy and I have tried now for each of my VPN provides a dedicated line instead of the one default one. First I see (print detail) the template, then the DA lines and underneath those the T line for ICMP. This after restarting the VPN connections. I don't think a dedicated template is needed ...

msatter

I have my template on the group=default. To have it positioned then, then the *T on should be on position 0. When adding it should land on the correct spot underneath *T.

Indeed removing the template and in my the posting above I have addressed that.

msatter

The MTU on the PPPoE is no problem and are you sure the VPN is up again? I see now a set 1 group=NordVPN add group=NordVPN proposal=NordVPN template=yes or set 1 group=NordVPN proposal=NordVPN template=yes Check if your proposal is the same as I wrote or replace it with your own proposal. Update: as...

msatter

Strange that someone "Becs" fixed the documentation yesterday "Latest revision as of 09:24, 16 April 2020 (view source)" and did not comment in this thread. I am sure that documentation was updated due to this thread. It starts to look like Mikrosoft. Instead of fixing the problem, we just change t...

msatter

It's simple - the policy you've added must be placed before (above) the template from which the IKEv2 connection creates the actual policy for the connection. The order of policies matters the same way like the order of firewall rules does - the packet is matched to all of them starting from the to...

msatter

I have updated my first response to you. Enable the line with X*T and remove line with T . The one with the * is the default line. ::/0 is the same as 0.0.0.0/0 and covers also IPv6 if that is available. If you do test hit the preview button in this forum when writing a posting and if it is shown th...

msatter

I have to think about that and my first answer was not correct if you address range is 192.168.0.1-192.168.0.255 Update: I can't place the first line: /ip ipsec policy set 0 disabled=yes My template is also a bit different: /ip ipsec policy add group=NordVPN proposal=NordVPN template=yes On copy-pas...

msatter

https://wiki.mikrotik.com/index.php?tit ... ldid=33661

 	
    <td ><b>RB760iGS (hEX S)</b></td>
	 	
    <td ><b>RB760iGS (hEX S)</b></td>
−	
    <td >Turns off all LEDs</td>
	+	
    <td >Turns off Power LED and SFP LED</td>

msatter

Thanks msatter. I read your script. Correct me if im wrong the script reads the connections table and automatically puts the /24 subnet into an address list and then? you manually set a filter rule? I don't use the connections table. Every connection on a specfic port(s) are put on list one with a ...

msatter

Do both tests fail? Download and then upload. If only upload fails then then it is a problem with packet size.

msatter

Oof...that saves a lot of responding to support e-mails for Mikrotik.

msatter

From what I read this can't be reported through the vulnerability page of Mikrotik because you the user is already logged in.

It should then be reported as a bug to: support@mikrotik.com

Everyone can do that and refer in their support request to the page describing this bug.

msatter

Here you go:

viewtopic.php?f=2&t=152953&p=758068&hilit=%2F24#p758068

Don't reject because the other side is not listening. If you do that in RAW then that gives the least impact on your router.

msatter

I had also a look and it seems that only the blue, brightest ones, can be switched off.

after-1h  after-1min  immediate  never
[mt@MikroTik] /system leds settings> set all-leds-off=

msatter

When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query was received from dynamic server, but static was added later, then dynamic entry will be preferred). It looks li...

msatter

I was writing that with an eye you not getting SIP logging.

Fast-track any traffic through a IPSEC/VPN is not wise and instead use no-track.

msatter

I see that a different port is used and the log could looking for ports 5060 and 5061. In /ip service you can add your port to the SIP line.

https://help.vantact.com/index.php?/Kno ... a-mikrotik

msatter

viewtopic.php?f=21&t=154662&p=784984#p780798

Enable logging and look for strange things.

msatter

I found a memory leak (or cleaning error) in the DNS (hEX v6.47beta53/54), after flushing the cache it is not reset to aprox. 17KiB, but grows until the device reboots, in this example 358KiB. Accordingly, it does not clean normally during working and only grows. I have not found this and do you us...

msatter

Kingdom for standard "syntax error at line X, column Y"! :) It is displayed if you use { and } to contain the bit of code: { #Loop through names of the peers and see if they need restart :foreach peerName in=[find] do={ :lset $pn [get $peerName name ]; :if (![get $peerName disabled]) do={:if ([/ip ...

msatter

I am currently working a more flexible version with more option. It is going slow because scripting is not always easy and RouterOS is sometimes trowing a Enigma that has to be worked around.

msatter

Yes you can find that in less than two seconds on the internet.

What is it doing in the next RouterOS? Or is it something else?

msatter

Went back in time and found this: /system script print where name="scriptname" You will get a full page and where the colour-full letters end there is the syntax incorrect. If this can be also reachable as described above one can easily check a part of a code. Second option: You can also use /system...

msatter

I tried, by using a script, to put [:parse "global ".... As soon it sees the " it assumes it ready and executes the rest. Is there a way to tell that the " is not the one to look at. I tried \" but that did not work. I was ending up putting in :local's and puzzle together the correct line. edit: Hol...

msatter

In the Netherlands we have now free router/modem choice. The KPN which is the biggest provider on telephone lines, I can't recommend any Mikrotik router to whom is asking me due to no decent VDSL support. Many people are looking now for a better router than the one they are hiring right now from the...

msatter

You set which route is to be used in Mangle and are using a destination address list. Your own external IP is not destination but a source address.

So if destination address is not on the county list then mark for VPN. That would indeed be correct.

msatter

I tried it and my loglines went down from 1475 to 1100 when I executed: /system logging action set memory memory-lines=100 Hmmm checking that closer..... Tried it now with 99 and the lines went from 1100 to 1099 so 1001 seems to be the minimum achievable. (edit clarification of 1001: 1000 disk lines...

msatter

If you use IKEv2 like NordVPN the you can't route that easy.

If you use OpenVPN or L2TP/IPSEC check if you disabled the default route in their settings.

msatter

If you look at it which log-lines are important and which not that much the split you log up in memory and file. If router restart your memory log is gone and the file log is still there. If you want to have the opertunity to have a burst of loglines to look at the cause of a problem then use a othe...

msatter

Everything is above my pay grade. ;-) You can have a look overhere: https://forum.mikrotik.com/viewtopic.php?f=9&t=150168&p=739572&hilit=date+calculation#p739572 https://github.com/phistrom/datetime-routeros/blob/master/README.md And a scipt from which you can build your own: ### calculate diff betw...

msatter

I have have been a lot of coding in RouterOS lately and have some more insight now how to syntax check can bea lot easier. I first said that combining to one line was good, however there is a better way. If I want to check code now I add an "\" at the end of the list and then select it and past it i...

msatter

Do the counters increase on those two lines if there is traffic natted?

msatter

You are in different subnets and if the clients know the DNS server in a other subnet then I would source nat.

If you want to rewrite the destination address then you need to stay in same subnet 192.168.0.0/16 and not /24 for each subnet. The DNS server can't find the way back to otherwise.

msatter

Those are most likely scanners looking for open Mikrotiks. Those can also be good people who check your config and if they get in disable your faulty config and log a warning for you and then close the open door on the way out. Better is to not expose the router controls or services and this you can...

msatter

I assume that you found fasttracking which is not available for IPv6.

or: https://wiki.mikrotik.com/wiki/Manual:I ... st_Forward

msatter

I think you are incorrect but I can't find any documentation on it right now. Local are the adresses in /ip address. Redirect carry your packets to the local port of the router with that address, and leave it there. If there is no pick-up service than your packets gets lost. Pickup service is gateway.

msatter

redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses As long you are redirecting to local address you can use redirect and if it outside then you need to use dst-nat. local - if dst-address is assi...

msatter

From the Wiki: Return value to a variable Since RouterOS v6.43 it is possible to save the result of fetch command to a variable. For example, it is possible to trigger a certain action based on the result that a HTTP page returns. You can find a very simple example below that disables ether2 wheneve...

msatter

Have a look at my script which is uses the result.

viewtopic.php?f=9&t=152632&p=778113&hilit=fetch#p759427

msatter

And I have not included the option to use also a KILL SWITCH in case you IKEv2 connections are not up. You will need to kill it in NAT and this is the script for that: https://forum.mikrotik.com/viewtopic.php?f=2&t=158439&p=782424#p781870 # Free to use. Created by Blacklister 20200328-2.5 # Traffic ...

msatter

Search for the word "hairpin"...yes really.

https://wiki.mikrotik.com/wiki/Hairpin_NAT

msatter

Disabling your destination IP that is new for me. However your ISP is still forwarding to that IP of you so that would create also problems. If it is UDP and you blocked that in RAW as high as possible in your RAW lines (/ip firewall raw) then there nothing more that you can do. Then you have to fin...

msatter

Indeed but you first have to be able to know what is real and what is not. If you can afford to drop all UDP traffic in RAW for a while then that is the best way. A time ago I had a slow attack on port 80 (SYNC) and it went on for a long time form server parks. I decided to look at IP addresses and ...

msatter

Yes this is an option but as attacked use fake IP addresses that will make you to deny connection so some servers that you really need! When you are using also IKEv2 connection then those can be made notrack in RAW and so are caught by the rule (UDP 4500). To avoid that the box by untracked has to ...

msatter

I have been busy with distribution traffic in the last time and I like to use a simple Round Robin for that and I found the following ways to archive that in RouterOS. Bst known is using Round Robing for DNS resolving and in RouterOS you can use /ip dns static Create the following domain and IP's fo...

msatter

thy this add chain=input protocol=udp in-interface=ether1 connection-state=!established,related action=drop To use that then you are using connections which is most expenceive, in processor time. If you put that in filter then use it to add the source IP address to an address list which is used in ...

msatter

Are you attacking yourself?! These are UDP snd like Covid-19 you have take drastic measures. Don't look what what you want block. Look what you want to allow and block the rest of the UDP ports in RAW. That is the best you can do. You have normal DNS responses that need and you know which IP should ...

msatter

I not expert on this.

Best is blocking in RAW and you need to use filter, new connection to fill the blocking IP address table for usage in RAW.

This way your connection table stays cleaner and stays working.

msatter

Thanks Sob but that help is really there if you are on one of the "\\" and press tab:

tlshost.JPG

I can enter the characters show by help in terminal (look at the orange $), and it is accepted on enter, but in the Winbox interface shows a blank field.

tlshost1.JPG

msatter

I was looking at using an expression in TLS Host but I can't get it to work. I press TAB then I get the following possibilities: " $ ? [0-9A-F] \ _ a b f n r t v $ = end of string ? = one or zero characters/signs/figures [0-9A-Z] = in a range \ = escape character _ = used in domain names a = b = f =...

msatter

I am using distribution of connections for my multiple IKEv2 providers and got always got the best spread with Per Connection Classifier (PCC) using the source port. The source port is for each connection out different. A good habit is to have the the last line function as a catch-all by removing PC...

msatter

At ROS 6.47beta49 I press Download in "Check For Updates" and in loop see that:
qcRwlwoD1m.gif
To stop this loop I do:
/system package update cancel

This is done on purpose so you don't install it automatically/by accident. To go to 7.x has to be a manual process.

msatter

It doesn't make much difference because the the way FastTrack works. After it is activated only sporadic traffic is sent through the normal rules.

Have also a look at notrack in RAW which speeds up traffic by bypassing the connections table.

msatter

When using IKEv2 connection to a VPN provider Mikrotik inserts dynamic src-address lines at the top of the NAT table. If you are directing traffic to it those dynamic lines can still be in the buildup phase and so leak traffic. This added line is insert after the dynamic lines at the top atleast if ...

msatter

Have a look here: viewtopic.php?f=13&t=159075&p=781541&hilit=flow#p781541

msatter

Have also a look at the RB4011 which has 10 ports with five, each on a 2,5Gbit/s connection. Aggregated 5Gbit/s. The SPF has it's own 10Gbit/s connection.

There is also a Wifi version of that router.

msatter

You can make the most secure connections and traffic ever but when it ends up with Google etc. then why bother to secure it. You're the product. SSL was never sold in those day to be a secure connection, it was and still is seen as being a trustworthy site in the general public view. Today we should...

msatter

The first two have switch chips so traffic between devices in the network are switched and do not enter the CPU unless it is router traffic to the outside. The hEX S is ............ I have two but never got it switching directly. I happens all in CPU/Bridge and the SPF reduces the overall speed of t...

Search found 1626 matches