MikroTik

MetUys

PS: key file imports, its the pfx that is now not importing (did on previous versions). I switched to a full chain cer+key instead of my original full chain pfx+key, this solved my issues on all versions I have tried it on (old and new). I have not tested yet on v13.5 (or newer), but I'm confident ...

MetUys

We are also seeing resolution issues on our side to a bunch of different units. It's intermittent, so we still investigating where the fault might actually lie.
PS: We have also identified some issues with some ISPs towards Cloudflare services, it may be related but could also be co-incidental.

MetUys

I'm having the same problem. just implemented two new Mikrotiks freshly done with netinstall to v7.8. I'm using the Posh-ACME service (targeting ZeroSSL) to generate the certificates on another machine and those are being put onto the units to be imported. I have updated to the latest version and ha...

MetUys

Hi @normis,
An aside: You might want to update your mail template to reflect the year 2023. Last month also stated 2022. (subject line)

MetUys

Hi, I noticed on NPS (Server 2012 R@ at least) that if you are locking the Network Policy down to conditions: NAS port type of Virtual (VPN) and User group, it wont allow SSTP. (it does allow PPTP, L2TP, IKev2, just not SSTP) If your Network policy doesnt have "NAS Port Type" condition set...

MetUys

Hi @gliepins, Did you come right here? maybe check out this topic:https://forum.mikrotik.com/viewtopic.php?t=136926 IKEv2 needs the certificate and intermediate certificate configured to send to the windows OS (since windows doesn't have the intermediate certificate in its local store). its either t...

MetUys

Hi, I was also having this issue, been testing a whole bunch of VPN configurations with Mikrotik and RADIUS. As we know here the issue is not RADIUS, and is an intermediary certificate not being presented to windows by Mikrotik (Natively), it can be specified in the CLI and winbox. The reason for my...

MetUys

Hi, 100% I think Public NTP attack is a low probability, but I believe in accurate feedback: I normally have NTP restricted, but I noticed I had disabled the "drop all !LAN" while doing the HA_mikrotik testing, so accurately it was plausible. I have re-enabled the restriction and no reboot...

MetUys

Hi all, Just wondering if its possible to harden the Mikrotik on its various SSL/TLS services? I see SSTP you can force tlsv1.2, AES and PFS. (although when testing using SSLLabs - "This server does not support Forward Secrecy") IP>Services>www-ssl - tests show it offers RC4, TLSv1.0, TLSv...

MetUys

Hi All, I am also experiencing this problem: hAP ac2 rebooting randomly. I originally thought it was a config issue as I was playing with the HA_Mikrotik setup (https://github.com/svlsResearch/ha-mikrotik), however I had read about the NTP suggestion and after disabling the NTP package (not uninstal...

MetUys

Also make sure you limit who can access winbox (ip address access list, not just the user accounts created), leaving it exposed is not recommend in case there are any exploits against it (which there was within recent years) All these items mentioned above are mentioned many times throughout this fo...

MetUys

Hi, for those interested, we managed to make some headway on this. The problems being: no serial console to execute the install via, which results in a premature disconnect on ether1. to get around this connect to the second Mikrotik and execute the $HAInstall commands via mac-telnet to the first mi...

MetUys

Thanks @Nathan1,
I have reached out to you on gmail.
Correct, this is v0.6
Will reset both and use master now.

MetUys

Hi @nathan1, Yes I can get back into both devices. (screenshot of logs at bottom, this is from the v0.6 release, where I executed before the 2min counter) and 100% I can give access, should I reach out to you on your google mail service account? (I see it in the previous comments) Its totally a POC ...

MetUys

Hi @nathan1, Good work here, and thanks for maintaining it for so many years. Im using our countrywide lock-down due to COVID-19 to trial the ha_mikrotik setup. (finally some time to do it) Setup: 2x RBD52G-5HacD2HnD (aka hAP ac^2, all I can get my hands on), both on ROS v645.6 and firmware updated ...

MetUys

Upgraded hAP ac2, no issues as yet. (although config is very simple, pppoe client and pptp vpn). I also want to test l2tp/ipsec but had issues in previous build(s) but seemed to be more ISP related than mikrotik (yes Im aware of the gre traffic acceptance needs). I will also try see if the "ver...

MetUys

Noticed DHCP feature is enabled after upgrade to v6.44 (firmware also updated) on CCR1036-12G-4S, If I attempt to disable DHCP again and reboot, it says "can not disable dhcp-6.44: security depends on it" Sorry if this is not related to this version, upgraded from a slightly older version....

MetUys

Good day,

is there any news on a bugfix version for the DHCP server issues reports for wireless devices,
and the Firewall Address list items not living out their time period?

MetUys

Hi, When adding a IP to an IP>firewall>address list with a timeout (say 4d 00:00:00) and adding a comment in 6.39.3, it drops off within 24hours (and not when the timeout is reached). Doing the same in v6.38.7 it doesnt drop off and continues to count down till its timeout is reached. I have tested ...

MetUys

+1 Just a thought and pardon if I fall out the window on this... What if the created ROS package for this did an inspection of the TLS SNI Domain Hint but only during the setup of a cert if using TLS-SNI mode? This way it could capture the validation requests and respond appropriately completing the...

MetUys

Hi all, As of recent we have started getting problems legitimate clients/staff/users's IPs getting caught by the TCP null scan (i.e. TCP packet with no flags set) filter. What we have detected is its finding a TCP() packet during FTP calls from FileZilla on windows 10 (Build 1607). (FYI: it seems to...

MetUys

Hi All, Have upgraded from v6.34.6 and v6.36.4 to this version (v6.37.4) on a host of these devices with no issues experienced thus far (also no netinstalls needed on any): - cAP (mipsbe) - mAP2n (mipsbe) - RB951G-2HnD (mipsbe) - RB951Ui-2HnD (mipsbe) - RB2011UAS-2HnD (mipsbe) - CRS125-24G-1S-RM (mi...

MetUys

Hi all, I have upgraded most of our devices to the latest bugfix (v6.36.4), i have made sure each is running the latest firmware too, (I am using latest winbox v3.7 in case you are wondering), everything is going well except one odd behavior noticed regarding the new host name resolution in the fire...

MetUys

Hi all, I'm trying to track down any info regarding the SCTP connection helper added in v6.36? Is it inline with the IETF Draft relating to multi hosts behind a NAT? "specialized code has been added to NAT for TCP that allows multiple hosts to reside behind a NAT and yet use only a single globa...

MetUys

wrong thread apologies.

MetUys

Any news on a new bugfix for this version?
seems like no comments since the timestamp and traffic marking issues were noted.
a bit hesitant to move to this version until there is some clarity on those.
Were they setup specific or a problem on the version?

MetUys

Hi, any change for Board" (first prize) and a "Version" (just nice to have) column to be added to the Managed tab? would be super if you needed to sort by those, especially in large lists. We use the Group section for department/geographical grouping and the Note section for any addit...

MetUys

*) winbox - allow to enter dns name in email server; This is only a once off adding in terminal and resolves immediately, not on each use. it also cannot be set via winbox > tools > email, still only allows IP. I guess I will have to wait for the RC to release where it has the options amended alrea...

MetUys

what is this exactly -> email - resolve server address; i was happy when i saw it because i believe that finally i could write at tools-email-server something like "mail.blablabla.com" and not only ip address. this is useful because ip address of mail outgoing server change. now i am usin...

MetUys

Hi All, I see a few people have got no result in the system health, so tested myself after upgrading to latest version: > system health print > system routerboard print routerboard: yes model: 751U-2HnD current-firmware: 3.22 upgrade-firmware: 3.22 > system resource print uptime: 14h47m36s version: ...

MetUys

Hi, Upgraded RB751U-2HnD (v6.19 -> v6.20) = no problems as yet. Upgraded RB2011UAS-2HnD (v6.19 -> v6.20) = IP Routes got lost, Queues also went missing and obviously the Graphs on the Queues were not linking correctly (no queue to link to). I manually added back the routes and queues and fixed the g...

MetUys

Same issue Here. Mikrotik-Remote <- PPTP (MTU1450) -> Mikrotik-Main: - problematic winbox access from system behind Mikrotik-Remote when connecting to internal IP or VPN IP of Mikrotik-Main. - problematic winbox access from system behind Mikrotik-Main when connecting to internal IP or VPN IP of Mikr...

MetUys

thanks!
just to confirm, with ROS v6 the "parent=global-out" will just be "parent=global", correct?

Search found 33 matches

Re: Certificate Key Import not possible on v7.7

Re: IP Cloud domains mynetname.net down again?

Re: Certificate Key Import not possible on v7.7

Re: Newsletter 111

Re: PPP SSTP Server with radius authentication

Re: IPsec/IKEv2 EAP+Radius [SOLVED]

Re: Ikev2 + Eap Radius + Windows 10 Not Working - But Working On Apple Devices

Re: Possible fix for hAP ac2 rebooting randomly

Harden Security on SSL/TLS Services

Re: Possible fix for hAP ac2 rebooting randomly

Re: Hacker attacks on CCR [SOLVED]

Re: Suggestion: Completely virtual router based on two physical routers

Re: Suggestion: Completely virtual router based on two physical routers

Re: Suggestion: Completely virtual router based on two physical routers

Re: Suggestion: Completely virtual router based on two physical routers

Re: v6.45.6 [stable] is released!

Re: v6.44 [stable] is released!

Re: v6.39.3 [bugfix] is released!

Re: v6.39.3 [bugfix] is released!

Re: Support for ACME/Let's Encrypt certificate management [SOLVED]

TCP Null Scan (aka NMAP Scan)

Re: v6.37.4 [bugfix] is released!

Re: v6.36.4 [bugfix] is released!

SCTP connection helper info

Re: v6.36.4 [bugfix] is released!

Re: v6.34.5 [bugfix] is released!

Re: Winbox 3 RC

Re: 6.32.3 [CURRENT] version released!

Re: 6.32.2 released

Re: RouterOS v6.28 released

Re: v6.20 released!

Re: Freezing / disconnection of Winbox over PPTP VPN

Re: Skype Full Speed Work Prefect Script