MikroTik

harry66

Something weird in proxy access rules. Winbox 3.32 and Console config show different.
RB5009/ROS7.1.1 here

Bildschirmfoto zu 2022-02-03 13-49-40.png

harry66

RouterOS 7.1.1 Device hEX (RB750Gr3) The devices physical "USR" LED can not be configured. In device management the option to select "USR" LED is missing, only a "SFP" LED option is available - the device does not have SFP... Please fix. 8) /Uwe PS: Creating a support t...

harry66

I am truly missing words on this. Maybe better to leave it uncommented. I have often been told that Germans (by other Europeans, not some NA folklore) have no sense of humor, I guess it isnt true! :-0 Certainly that is a matter of taste. For sure it does not meet my taste if you insult people like ...

harry66

Oh thats why bpwl!!
All this time I was under the impression that Normis and the Latvian folks thought Germans lived outside

I am truly missing words on this. Maybe better to leave it uncommented.

harry66

This device is designed and certified for outdoor usage. Ah yes, I didn't think about the certification, although being aware of the legal limitation. That makes perfect sense, kind of legal enforcement. I will have a look at your suggested work around. Thank you very much for the swift reply! BR Uwe

harry66

Hi all, maybe you have an explanation for this: I can't switch my OmniTIK 5ac (ROS 6.49.2) to "indoor" Installation. Bildschirmfoto zu 2022-01-11 14-56-28.png In words: [admin@GR40AP8] /interface wireless> set installation=indoor wlan1 failure: allowed installation type is outdoor [admin@G...

harry66

RB3011: Upgrade from 6.49.2 did not work out: - Unreliable ping to a switch (CSS326, LACP, VLAN trunk) directly connected (90% packet loss) - web proxy was disabled during upgrade Maybe as an effect: - All Capsman connections lost What was working: - PPPoE to provider over VLAN - Direct connection o...

harry66

What I think the point is: Mtik is a good adaptation of the hardware near functionality. I compare this with designing UDP around IP, compared to TCP with far more bells and whistles. Just to give some examples: Handling of L2 config is a constant hassle with a steep learning curve and prone to conf...

harry66

I've been involved in the security planning and execution for a number of large companies as well as mitigation of breaches that later became public for a few of them And here is the sad reality...for medium & large enterprises, it's cheaper to deal with a breach than spend the money needed to ...

harry66

They insisted on Cisco equipment or would not do the job. I compared prices and it was ~x3 more for the Cisco. But my customer isn't short of cash so I let it go. But it does irk the Yorkshire man in me that money was spent that could have been saved. But then is about the companies business case. ...

harry66

Agreed, and I don't think a router should be expected to incorporate this functionality. I think it ends up asking 1 device to do too much, and complicates administration and management. I perfer standalone devices for packet-inspection functionality where required. I question your arguments :-) 1)...

harry66

I second what is said here. Industry standard is a super weak argument of those that don't know better. For Mtik you have to take care about much more but you pay much less initially. Just think about what you would need to build a console like Panorama for Mikrotik. Yes, you can blow it up to a cer...

harry66

Hi Metod, thank you for coming back with that. With the hint you gave, I see [admin@Grobi] /interface ethernet> monitor ether10 once name: ether10 status: link-ok auto-negotiation: done rate: 1Gbps full-duplex: yes tx-flow-control: yes rx-flow-control: yes advertising: 10M-half,10M-full,100M-half,10...

harry66

Hi OnixJonix, I can imagine what situation you are in and why it is so hard to come up with usable arguments. Depending on your customer you have to be aware that when setting up a whole new infrastructure, the availability is key. It is key right from the first moment. Once your service becomes sha...

harry66

Hi, I am experiencing an issue with v6.47.2: As it looks ethernet link handling on RB3011 has problems. What I did: Upgrade RB3011 from v6.47.1 to v6.47.2 What happened: RB3011 became unreachable What turned out: Trunk link between RB3011 (ether10) and CSS326 (port3, SwOS v2.11) became unreliable ev...

harry66

I am actually using Wireguard since longer and therefore completely eliminated all other types of access like L2TP/IPsec and OVPN. However I am super unhappy with operating a dedicated environment to provide the termination point for wireguard including all routing stuff. And of course I am happy wi...

harry66

I have never seen a electronic device (with touchable parts) running that hot. It should have a sign of warning for excessive heat - if you don't expect it, you really burn your fingers for a couple of days. More than 100°C - man! How can that be allowed to be distributed? It's a massive design fail...

harry66

I got two CSS326 equipped with a single S+RJ10 in each - just don't do it . At first with free ventilation in 22°C ambient the transceivers are running about 95°C. After two months of operation, ports now start flapping. Transceiver temperature was at 109°C in 24°C ambient. S+RJ10 were r2, can't say...

harry66

In Confluence there seems to be no display mode, where you don't have to scroll every single line.
In reader mode you loose the formatting.

Both ways it is really annoying.
At the same time we loose this great TOC table from before. I hardly see the improvement.

/Uwe

harry66

Hi, I got aware of the new documentation platform based on Atlassian Confluence. Compared to the "old" WIKI, I must say I am pretty disappointed as the formatting makes it unreadable. Even if you managed to get away from the three columns web design, you still have to scroll. That is not u...

harry66

Okay, I surrender on the permissions.
If I grant all permissions to the script and the scheduler, it works.

Anybody a hint, how to find out, what permissions are needed for what?

Thank you!
/Uwe

harry66

Hi, I am more and more confused: I have two very similar scripts: One is enabling and interface and one is disabling the interface Both scripts have exactly the same permissions One script runs and the other is not because of permissions I can't find any explanation, what permissions would be needed...

harry66

Thanks for the hints. I experimented with the permissions already, starting from default, going to everything and nothing. The settings now reflect what makes sense to me and what is working on manual trigger. Following the rule that the scheduler should have the same permissions as the script. Stil...

harry66

Hi, I have created some scripts, really tiny ones, that are meant to disable certain network interfaces when not in the office. The scripts themselves are just simple one liners that are working well when started by manually. For some reason the scheduler does not start them reliable. Please have a ...

harry66

Hi jarda, The boardname is "hEX" as you can see above. Architecture is stated as "mmips". The download page files "hEX" as MIPS-BE. From my point of view this is a mistake. It schould be MMIPS. This was another trap. Before I bought the device I checked if the user-mana...

harry66

Thanks for the quick reply. Downgrade and Upgrade worked like a charm even via remote OVPN tunnel :D Searching for the .ZIP I noticed that hEX is filed under MIPS-BE on the standard downloads page https://mikrotik.com/download whereas the board mentions MMIPS. In the MMIPS section only RB750Gr3 is m...

harry66

Hi, I recently bought a hex router to take benefit on its comparably huge amount of RAM. 32/64MB with single CPU model (various 951) had poor performance with long filter lists in firewall and proxy... Now I am facing a new challenge with hex 16MB flash size. As opposed to my initial assumption the ...

harry66

In addition to my proposal there is a couple of more use cases: The predominant is here: As the mAP and especially the mAP lite are designed a carry along devices they may be very convenient for the travelling salesman that needs to connect back to the company. The ethernet interface may be the conn...

harry66

The request you made looks like: hey, build into all devices the adaptor I am using now in order I do not need to cary it with me. And everyone will buy those devices for higher price just because of that? Will even you buy that new device again? Nothing offending, just thinking loudly about this.....

harry66

but maybe i'm totally wrong.

No, you are on spot.

harry66

What about virtual ap and virtual client on wlan interface of mAP? No need for any cables or adaptors... It does not work reliably and most probably that is why Mtik explicitely does not recommend it. You should better not recommend things that do not work in general. Believe me I know what I am ta...

harry66

mAP (lite) is lacking an essential feature that might be interesting to see on other USB equipped devices as well: An USB network adapter mode. Use case: I have a laptop with wireless only network interface that I use when travelling. To have a hassle free "no limits" access to the corpora...

harry66

Quick update:

The problem is related to a general change in the STP on bridges implementation on different platforms.
Either switching STP to none on 6.38 or upgrading to 6.39rc solves this problem.

BR
Uwe

harry66

So it doesn't look like a platform issue.
I hope Mtik is working on a fix already.

harry66

Hi liviu, I guess the problem is on the link layer, not on the application layer. In my post you can see that even ping (ICMP echo request) has problems. Do you use the first switch port group (ether1..5)? I am only using the second switch group and was wondering if that might have any influence. BR...

harry66

Hi, I have retested the upgrade procedure from 6.37.3 -> 6.38 for my device without any issues. However the link instability introduced with 6.38 for ether6 LAN ether8 PPPoE is still there. Winbox frequently loses the LAN connection to the RB3011 and PPPoE is lost every couple of minutes. This is de...

harry66

Meanwhile I have sent the supout.rif to the support email address. Still I am facing more issues with my RB3011 after the upgrade: 1) PPPoE link has frequent reconnects more than 100 during the day (on 6.37.3 this was absolutely stable) To exclude something wrong on my DSL line I swapped the RB3011 ...

harry66

Hi, thanks for all your support! First of all: Netinstall worked perfect in linux wine emulation. Before using netinstall I changed the boot sequence to etherboot and reverted back to the default NAND sequence afterwards. With netinstall I used the 6.38 ARM release and was even able to preserve the ...

harry66

This is what it says on the serial console: RouterBOARD 3011UiAS CPU frequency: 1400 MHz Memory size: 1024 MiB NAND size: 128 MiB Press any key within 2 seconds to enter setup.. loading kernel... OK setting up elf image... OK jumping to kernel code ERROR: no system package found! Kernel panic - not ...

harry66

I meanwhile activated a backup device to get back online. Lacking a windows computer I have set up a virtual instance of Windows 7 but the RB3011 does not connect the netinstall boot server. Maybe the parallels environment prevents the communication. Direct link ethernet cable or switch between does...

harry66

After upgrading from 6.37.3 to 6.38 via Web GUI I find my RB3011 in constant boot cyles. It boots until kernel start and immediately resets.
What's going wrong?
What can I do?

BR
Uwe

harry66

SOLVED - nothing wrong with the RB3011 in that aspect :-) As I said in a previous post it is something simple I overlook or something quirky. Well it is in fact simple: The PPPoE client has a dial-on-demand option that prevents the link to be established if no data is waiting. The "old" s...

harry66

Hi, removing it from the slave doesn't get it running. Here I changed to the bridge interface: [admin@temp] /interface pppoe-client> pri Flags: X - disabled, R - running 0 R name="pppoe-Telekom" max-mtu=1492 max-mru=1492 mrru=disabled interface=bridge-vlan7 user="something" passw...

harry66

Hi, i Just got a fresh RB3011 and try to migrate my working PPPoE config from an existing ROS device. But I am running into some trouble that gives me serious headache: I don't get that PPPoE config running on the RB3011. The setup is trivial: ether5 used in standard LAN for VDSL2 modem connectivity...

harry66

That may serve as an assumption, yes.
As I say above it actually works sometimes. It might be a timing issue. That makes me curios about other peoples experience with 2 chain devices. Maybe they work more robust.

harry66

Hi, I am currently looking for a stable solution for my current attempt to get secure internet connectivity on travel: Until now I had not much luck with my mAP 2n to implement the following scenario: Configure the wireless interface as AP with WPA2 for my WiFi devices like laptop, smartphone Config...

harry66

I have exactly the same issues. The device seems to be far from its nominal transmit power even if set to capable channels.

No clue what else I could try.

harry66

For your interest:
The attached command file is generated from the same source as above but intercepts web proxy traffic.

harry66

Hi, I gave DNS blackholing on RouterOS a try and converted the malwaredomains.com listed domains into a RouterOS readable script. See attachment . The intention is to use RouterOS regexp capabilities for domains and resolve them to 127.0.0.1 as this is a quite effective measure to prevent malware do...

harry66

You have apparently not understood what I suggested. AppLocker specifies the extensions to be blocked as executable and obviously .JS is one of them. The user clicking on a .js link results in downloading to %TEMP% by the browser then calling the OS to execute it and BOOM the execution of this file...

harry66

You are talking about the threat situation 5 years ago. You completely neglect the scenarios I described.

Read this and understand it:
https://nakedsecurity.sophos.com/2016/0 ... -required/

/Uwe

harry66

That approach does not take into account, that 90% of your infections come via one single application that you can't control this way: The internet browser There are a lot of systems in the field that are old and/or can't be protected by endpoint protection. (Windows XP, UNIXes e.g.) Do you have an ...

harry66

Is that really the right approach to say that it will no longer work in two years? It is about protecting information from threats we are facing today. Now. It does not matter at all if this technology is outdated in two years. This is a rapidly developing market and you have to have effective measu...

harry66

Thanks, sounds quite sensible

harry66

Hi, even though I think my RB951-2n should have a beeper I can't get it beep. Actually I can't even remember if it ever beeped :-) But now that I want to make it beep in a script I can't hear anything. On the console I tried [admin@fw-a156563] > beep [admin@fw-a156563] > :beep [admin@fw-a156563] > b...

Search found 55 matches