Community discussions

Search found 104 matches

by gerakon
Wed Jan 30, 2019 11:52 pm
Forum: General
Topic: 2 bridges or vlan
Replies: 5
Views: 545

Re: 2 bridges or vlan

Create a WAN-Bridge add ports 1 and 2 to it. Likely change anything in your config that references eth1(DHCP Client, IP address, firewall rules, NAT Rules, etc) to WAN-Bridge. With newer default configurations you may also need to add the WAN-Bridge to a WAN address list (I forget the exact name of ...
by gerakon
Mon Jan 07, 2019 4:49 pm
Forum: General
Topic: Mikrotik breaking Wi-Fi Calling?
Replies: 19
Views: 1457

Re: Mikrotik breaking Wi-Fi Calling?

I'm not sure if this is related to Wi-Fi calling, but it shouldn't hurt. The SIP helper that's built in to Mikrotik and most other routers tends to break SIP. Disable it. /ip firewall service-port set sip disabled=yes I've also had a Brighthouse ISP modem cause problems too. ISP tech support wasn't ...
by gerakon
Thu Oct 18, 2018 7:07 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 1745

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

WINS can be configured on a Windows Server, Linux or Synology NAS (probably other NAS's as well but I'm less familiar with them). Just found this is from Microsoft. https://docs.microsoft.com/en-us/windows-server/networking/technologies/wins/wins-top So don't do what I said. If you are using your Mi...
by gerakon
Thu Oct 11, 2018 5:49 am
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 1745

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

Besides the host file, the other way to do it is to setup a WINS server. Personally I either setup UNC shortcuts to the IP address or you could map a network drive to the IP address, though my installs are smaller so it's not usually a big deal. Larger networks might make this less feasible. One oth...
by gerakon
Fri Sep 28, 2018 7:23 am
Forum: Scripting
Topic: script to detect RDP user connected
Replies: 8
Views: 812

Re: script to detect RDP user connected

Hi Rendezz, Uh.... it seems I know far less about RouterOS Scripting than I thought (which wasn't much)..... What do you mean by compile? I didn't see anything about compiling in the wiki/manual. Compiling might mean IDE or text editor (I found that there is notepad++ with syntax highlighting.... is...
by gerakon
Wed Sep 26, 2018 6:06 am
Forum: Scripting
Topic: script to detect RDP user connected
Replies: 8
Views: 812

Re: script to detect RDP user connected

line 2 of what you posted seems to work, Rendezz, but it didn't seem to print the 4th line (:put) to the terminal. I've worked some more on the email portion but that still isn't working. I also commented the script. Any thoughts? Thanks. #Define variables global vCurrentStatus; global vCurrentRDPIP...
by gerakon
Sat Sep 22, 2018 12:10 am
Forum: Scripting
Topic: script to detect RDP user connected
Replies: 8
Views: 812

Re: script to detect RDP user connected

Rendezz, thanks for looking. At first, it appears that it isn't working, but I won't have time to dig into it until this weekend. Gregster, The other part of this is the firewall rules that I'm using (or trying to). Here are the rules..... probably need tweaking..... I'll post what works when we fig...
by gerakon
Thu Sep 20, 2018 8:45 am
Forum: Scripting
Topic: script to detect RDP user connected
Replies: 8
Views: 812

script to detect RDP user connected

I just barely understand what I'm doing when it comes to scripting... I'm trying to mash a couple scripts together to detect when there is an active RDP connection. I have a firewall rule to add the IP to an address list. I'm having trouble with syntax on the second line. :global vCurrentStatus; :lo...
by gerakon
Wed Sep 19, 2018 5:26 pm
Forum: Beginner Basics
Topic: Bruteforce prevention Issue
Replies: 14
Views: 1071

Re: Bruteforce prevention Issue

Eh... so you didn't. :? I guess it was more that you didn't think brute force mitigation was very useful, but I didn't take the time to go back and look at what you said after reading the rest of the posts.... Yes there could be an unknown vulnerability in the VPN server. On some of my routers I hav...
by gerakon
Wed Sep 19, 2018 1:09 am
Forum: General
Topic: Can default configuration be hacked?
Replies: 8
Views: 1044

Re: Can default configuration be hacked?

If you reset the config to factory defaults, it will use the default configuration for that version of router OS. The default config has changed quite a bit from 6.39 to 6.42.x. I would not expect the original default config that came with the router OS version that shipped with the device to match ...
by gerakon
Wed Sep 19, 2018 12:47 am
Forum: Beginner Basics
Topic: Bruteforce prevention Issue
Replies: 14
Views: 1071

Re: Bruteforce prevention Issue

You should be able to add a firewall filter rule with the safe addresses above the brute force blocking rules, then they shouldn't every make it to the blocking rules.

Though I agree with Sob and Van9018, VPN is safer.
by gerakon
Tue Sep 18, 2018 6:54 pm
Forum: General
Topic: Improve config (Proofreading*)
Replies: 4
Views: 1142

Re: Improve config (Proofreading*)

Also your /ip firewall layer7-protocol rules probably don't work? As far as I know, now that https is everywhere the layer 7 stuff doesn't work any more because it's encrypted. You can create an address-list with the youtube and netflix dns addresses and then create a firewall filter rule to drop th...
by gerakon
Tue Sep 18, 2018 6:48 pm
Forum: General
Topic: Improve config (Proofreading*)
Replies: 4
Views: 1142

Re: Improve config (Proofreading*)

I posted something similar a while back and was disappointed at the lack of response too.... not sure why exactly but it does take a little bit to look through the config.... maybe that's it... anyway I won't comment on the queues because I don't use them much. Your firewall section looks like it ne...
by gerakon
Tue Sep 11, 2018 2:31 am
Forum: General
Topic: How to block Windows Update on RB2011
Replies: 3
Views: 1705

Re: How to block Windows Update on RB2011

Somewhere around 6.38 they added the ability to add DNS names to an address list. Put them in there and then add a firewall filter rule to drop anything to those sites. Or I create an internal address list for the computers that I don't want to update as well. Don't include the http:// or https:// w...
by gerakon
Mon Jul 16, 2018 8:42 pm
Forum: General
Topic: MT IPSec Config Builder
Replies: 1
Views: 338

Re: MT IPSec Config Builder

I've only built and tested one tunnel in production on a slightly older revision of the script so it may still need some tweaking. I know there are a number of other fields that could be included. I've also thought of building a GUI if there is interest.
by gerakon
Mon Jul 16, 2018 8:26 pm
Forum: General
Topic: MT IPSec Config Builder
Replies: 1
Views: 338

MT IPSec Config Builder

I've had some trouble from time to time configuring IPSEC tunnels, usually because I get an IP address in the wrong spot or miss a /24 subnet or something so here's my solution. It's an AutoHotkey script that will create default config files in the same location on the first run which you can modify...
by gerakon
Mon Jul 16, 2018 8:06 pm
Forum: General
Topic: Dual uplinks means dual public IPs
Replies: 3
Views: 349

Re: Dual uplinks means dual public IPs

/ip cloud or some other DDNS service if you don't happen to have a datacenter laying around. Granted ip cloud has had a bit of flakiness from time to time it usually works for me for remote administration at least. There is supposed to be a new /ip cloud service from Mikrotik sometime soon to addres...
by gerakon
Mon Jun 18, 2018 11:08 pm
Forum: General
Topic: WAP60G for 200ft link on steel buildings
Replies: 5
Views: 727

Re: WAP60G for 200ft link on steel buildings

Thanks for the input. Any thoughts on if the QuickMount is necessary? Or if some other mount might be better?
by gerakon
Wed Jun 13, 2018 8:17 pm
Forum: General
Topic: WAP60G for 200ft link on steel buildings
Replies: 5
Views: 727

WAP60G for 200ft link on steel buildings

I have 200ft between 2 steel buildings. It looks like the WAP60G should work between the 2. 1. If I mount them on the side of the building do I need to be concerned about the metal building? Would using a Quick Mount be sufficient to mitigate problems from the metal? 2. Do these need to be perfectly...
by gerakon
Thu Mar 22, 2018 12:26 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208014

Re: Feature requests

This is already possible. Connect to one router. Set columns you want to see, open windows etc. Select session/save as Next time before connecting to new router pick saved session. But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my...
by gerakon
Wed Mar 21, 2018 3:46 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208014

Re: Feature requests

In Winbox I think the Dashboard menu could go away and just have all of it's items enabled by default. Unless there's some reason people don't want to see this information or there is some amount of overhead on the router. If it can't go away, it would be great if it would at least remember my setti...
by gerakon
Wed Mar 21, 2018 3:06 pm
Forum: Scripting
Topic: remote ssh via script
Replies: 52
Views: 30661

Re: remote ssh via script

I had a similar problem years ago that I wanted to reboot some crappy engenius APs every night on a schedule so they wouldn't lock up once a week. I suspect Mikrotik doesn't allow this because it could turn their routers into a weapon for hackers. Any way, I looked into using API at the time, but di...
by gerakon
Wed Feb 28, 2018 4:34 pm
Forum: General
Topic: CRS326 6.41.1 VLAN trunk to WAPAC no traffic
Replies: 3
Views: 704

Re: CRS326 6.41.1 VLAN trunk to WAPAC no traffic

The CRS326 is routing to the internet on port 24. Port 21 and and 22 are supposed to be vlan trunks to 2 WAPACs. Ports 1-20 are access ports on VLAN100. Port 23 I just left for management in case I mess up the config an lock myself out. Any help would be appreciated.
by gerakon
Sat Feb 10, 2018 12:21 am
Forum: General
Topic: CRS326 6.41.1 VLAN trunk to WAPAC no traffic
Replies: 3
Views: 704

Re: CRS326 6.41.1 VLAN trunk to WAPAC no traffic

I'm sorry, I meant VLAN101 is causing me problems. I've edited the original post to reflect that. I've also had second thoughts about about the VLAN102 and removed it from the configuration. It is being used as both a switch and a router. Wan port is ether24. I will isolate the private LAN with fire...
by gerakon
Wed Feb 07, 2018 5:29 am
Forum: General
Topic: CRS326 6.41.1 VLAN trunk to WAPAC no traffic
Replies: 3
Views: 704

CRS326 6.41.1 VLAN trunk to WAPAC no traffic

This is my first CRS326 and first attempt at using the new VLAN/hw offload configuration in 6.41. Configs are below. VLAN 100 on the wired ports are working fine. I'm having trouble with VLAN101 and the WAPAC's connected to ports 22 and 23. I get no connectivity between 192.168.0.1(CRS326) and 192.1...
by gerakon
Thu Jul 06, 2017 10:43 pm
Forum: RouterBOARD hardware
Topic: When will be RB3011UiAS-2HnD-IN available?
Replies: 65
Views: 19965

Re: When will be RB3011UiAS-2HnD-IN available?

Personally I like seperating my wireless from my routing devices so that I can place my router in my utility room and my wireless more centrally in my house, though I understand that's not what everyone wants. RB3011 + WAPAC or HAPAC are a nice combination. The RB1100AHx4 also looks good on paper. I...
by gerakon
Sun Jun 18, 2017 7:21 am
Forum: Beginner Basics
Topic: Correct configuration for a VLAN trunk port? [solved]
Replies: 2
Views: 2390

Re: Correct configuration for a VLAN trunk port?

I couldn't tell from your description, but you need to configure the trunk port on both the 2011, the HAP Lite and the Netgear.

Here's the Wiki for the HAP Lite and the 2011.
https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29
by gerakon
Tue Jun 13, 2017 12:27 am
Forum: Announcements
Topic: Newsletter 76
Replies: 50
Views: 14924

Re: Newsletter 76

Which CPU architecture running RouterOS in CRS326-24G-2S+RM? ARM, MIPSBE or SMIPS? How it compares with CPU performance of CRS125 or CRS226? ARM v7 Dual-Core @ 800 MHz So, similar to the RB3011 being ARM, except a little better than half the clockspeed. IPSEC will be software only until they enable...
by gerakon
Mon Jun 12, 2017 7:14 pm
Forum: Announcements
Topic: Newsletter 76
Replies: 50
Views: 14924

Re: Newsletter 76

Interested in routing and IPSEC performance of the CRS326-24G-2S+RM. I imagine no hardware acceleration for IPSEC? Will it do 50-100Mb of IPSEC?
Thanks,
Gerakon
by gerakon
Thu Jun 08, 2017 4:47 pm
Forum: General
Topic: only half duplex in 10Mbps Ethernet
Replies: 5
Views: 1287

Re: only half duplex in 10Mbps Ethernet

Huh... I just found this in the 6.40rc2 release notes

*) ethernet - fixed forced 10Mbps full-duplex linking on 100Mbps Ethernet ports;

If you still have problems it looks like there is a fix coming... or here if you don't mind running RCs
by gerakon
Sun Jun 04, 2017 4:06 am
Forum: General
Topic: Performance Query
Replies: 8
Views: 899

Re: Performance Query

Yep, post your config. You should have one port as master and likely the rest slaved to it. You can do VLANs without bridging, but at 10 Gb it doesn't have the CPU for bridging. If you are bridging, that takes place in CPU and will cripple it. I have a CRS125 and it works great with VLANs. If i were...
by gerakon
Sat Jun 03, 2017 7:55 am
Forum: Scripting
Topic: Delete all DHCP-leases every 24 hours
Replies: 5
Views: 3152

Re: Delete all DHCP-leases every 24 hours

Couldn't you just set lease times to 1 hour?
by gerakon
Sat Jun 03, 2017 7:33 am
Forum: General
Topic: only half duplex in 10Mbps Ethernet
Replies: 5
Views: 1287

Re: only half duplex in 10Mbps Ethernet

Have you tried a different device too? The computer or laptop or printer or whatever you are trying to connect? Have you forced that end to 10M full duplex too? Typically you either want both ends set to auto or both ends forced to the same speed and duplex. If you force speed and duplex to 10 full ...
by gerakon
Sat Jun 03, 2017 7:22 am
Forum: General
Topic: Performance Query
Replies: 8
Views: 899

Re: Performance Query

You are probably maxing out the processor on the devices you are testing from rather than the devices being tested. I'm fairly certain that you shouldn't be running the bandwidth test on the CRS devices. You are very likely maxing the CPU on the ones running the test. You need something with more pr...
by gerakon
Sat Jun 03, 2017 6:41 am
Forum: Beginner Basics
Topic: Software for designing network diagrams
Replies: 4
Views: 1063

Re: Software for designing network diagrams

I have used Dia a few years ago. Seemed to work reasonably well. It's open source and comes with a number of generic network/router/switch images.
https://sourceforge.net/projects/dia-installer/
by gerakon
Tue Mar 28, 2017 6:19 pm
Forum: Virtualization
Topic: CHR on KVM - auto-negotiation fails
Replies: 11
Views: 3601

Re: CHR on KVM - auto-negotiation fails

I have seen the same issue on XenServer 6.5 and CHR 6.37.1, but didn't notice any performance issues either. I haven't checked since upgrading to 6.38.5.
by gerakon
Sun Nov 13, 2016 5:35 am
Forum: Virtualization
Topic: CHR on KVM - auto-negotiation fails
Replies: 11
Views: 3601

Re: CHR on KVM - auto-negotiation fails

I'm not so sure that my speed issues have anything to do with RouterOS any more. I notice that there are alot of people that have had problems with slow speeds after updating to Synology DSM6.X. At this point, I'm thinking that the auto-negotiation failing is cosmetic at least for me. I was able to ...
by gerakon
Fri Nov 11, 2016 1:04 am
Forum: General
Topic: How are my firewall rules?
Replies: 2
Views: 985

Re: How are my firewall rules?

Any thoughts? Am I asking to much to have someone look through them all? If so, how about the other questions?
by gerakon
Tue Nov 08, 2016 5:56 pm
Forum: Virtualization
Topic: CHR on KVM - auto-negotiation fails
Replies: 11
Views: 3601

Re: CHR on KVM - auto-negotiation fails

I have the same problem with Auto negotiation on CHR 6.37 running on XenServer 6.5. I also have Synology DS212j NAS that is extremely slow (~500kb/sec). I have a second Synology DS212j NAS that seams to work fine. Both NAS's are connected to a CRS125 and then to the CHR through VLAN trunk. Both NAS'...
by gerakon
Sat Oct 29, 2016 4:52 am
Forum: General
Topic: Creating "Internet of S**t" VLAN and wireless network + FW and whitelist (1100x2AH with 411AR as access point)
Replies: 2
Views: 732

Re: Creating "Internet of S**t" VLAN and wireless network + FW and whitelist (1100x2AH with 411AR as access point)

Oh, and then do one of the following depending on what you want it to have access to (Internet, or LAN/Local nets only) add action=drop chain=forward comment="Block server from connecting to internet" log=yes log-prefix=ServerTryingToGetOut out-interface=ether1 src-address=10.10.10.20 add action=dro...
by gerakon
Sat Oct 29, 2016 4:42 am
Forum: General
Topic: Creating "Internet of S**t" VLAN and wireless network + FW and whitelist (1100x2AH with 411AR as access point)
Replies: 2
Views: 732

Re: Creating "Internet of S**t" VLAN and wireless network + FW and whitelist (1100x2AH with 411AR as access point)

I did something similar recently, but at the time I used a CRS125 and a HAP AC Lite. The VLAN configuration for CRS is very different from your equipment, but HAP AC Lite stuff should be the same. Here's the wiki that explains VLANs for the 1100 and 433. You need to create a VLAN trunk that contains...
by gerakon
Thu Oct 27, 2016 5:00 pm
Forum: General
Topic: How are my firewall rules?
Replies: 2
Views: 985

How are my firewall rules?

I'm looking for feedback or recommendations on my firewall rules. I've spent a couple of years refining and adding to my rules and recently made a lot of changes. Am I missing anything? Is there something I should do a different way? Is there a way to consolidate any of my rules? Filter rule 16 I wa...
by gerakon
Thu Oct 13, 2016 8:06 am
Forum: Beginner Basics
Topic: Two Network Separately on same RouteOS
Replies: 3
Views: 580

Re: Two Network Separately on same RouteOS

I use something like this to keep my networks from talking to one another. They are only allowed out the WAN port.
ip firewall filter
add action=drop chain=forward in-interface=ether2 out-interface=!ether1
add action=drop chain=forward in-interface=ether3 out-interface=!ether1
by gerakon
Sat Sep 17, 2016 7:14 pm
Forum: General
Topic: RB2011 Port Bouncing
Replies: 12
Views: 1387

Re: RB2011 Port Bouncing

This isn't an ideal solution, but if you don't want to buy hardware or much more hardware, if you have a USB NIC you could try using it on the RB2011. If you really need gigabit to your NAS this isn't a good solution, but my NAS doesn't get hit that hard so it would maybe work for some people. Here'...
by gerakon
Sat Sep 17, 2016 6:11 am
Forum: General
Topic: RB2011 Port Bouncing
Replies: 12
Views: 1387

Re: RB2011 Port Bouncing

I would tend to agree with inductor. So I thought hey just plug in a USB NIC and it will probably work again, but after a quick google search it looks like many people have tried and failed to get a USB NIC to work with Synology hardware. I have 2 DS212j's so I thought I'd give it a try. I tried 3 d...
by gerakon
Thu Aug 18, 2016 2:50 pm
Forum: Beginner Basics
Topic: Can someone help setup these routers with me
Replies: 5
Views: 864

Re: Can someone help setup these routers with me

I'm all for dumping Netgear..... but if you're having problems with equipment during lightning storms, do you have a UPS(s)? If not it might be a good thing to put in place.
by gerakon
Wed Aug 17, 2016 10:57 pm
Forum: Scripting
Topic: generate address list and block based on source network
Replies: 4
Views: 2064

Re: generate address list and block based on source network

That looks interesting. Tommorrow I was going to implement with 2 different DNS servers (1 for each network) and set pointclickcare.com to 127.0.0.1 on one DNS server, but I like that idea better. I'll test it out.

Thanks.
by gerakon
Wed Jul 27, 2016 4:51 pm
Forum: Scripting
Topic: generate address list and block based on source network
Replies: 4
Views: 2064

Re: generate address list and block based on source network

Thanks, that looks very helpful, and I look forward to using that feature, but I try to stick to the bugfix releases just to make sure I run into as few problems as possible. I would like to implement this for them sooner than the new bugfix release if possible. If you or anyone else has any thought...
by gerakon
Fri Jul 22, 2016 6:28 am
Forum: Scripting
Topic: generate address list and block based on source network
Replies: 4
Views: 2064

generate address list and block based on source network

I would like to generate an address list and block 2 of 3 internal networks from accessing pointclickcare.com. I found a script here called "Block access to specific websites" and modified it a little but it seams to be adding a bunch of random (or at least I can't see a pattern) to the address list...
by gerakon
Wed Jun 22, 2016 6:49 pm
Forum: General
Topic: CCR router - Queuing over 500mbps, slow cpu
Replies: 12
Views: 2317

Re: CCR router - Queuing over 500mbps, slow cpu

Hadn't thought about that before. I thought I had just seen it explained like my previous post elsewhere on the forum though I don't remember where now.... Found this from Normis All switched ports share 1gbps full duplex link to CPU, other than that there should be no difference in this thread http...
by gerakon
Wed Jun 22, 2016 5:04 am
Forum: General
Topic: CCR router - Queuing over 500mbps, slow cpu
Replies: 12
Views: 2317

Re: CCR router - Queuing over 500mbps, slow cpu

If you are routing between ports 1-4, they are all connected to the switch chip which all share a 1GB uplink to the CPU. The most you will get between those ports is half of the 1GB uplink which seems about right..... if this is the case, can you switch at least one of the ports in question to ports...
by gerakon
Mon May 30, 2016 6:20 pm
Forum: General
Topic: Users disappear after logout
Replies: 6
Views: 1051

Re: Users disappear after logout

I'm just guessing at this point, but 1. Does it happen with settings other than user accounts? Maybe add a DNS entry and see if it sticks? 2. It looks like you're using x86. Virtualized? Does the VM have write permission to the disk? 3. Contact Mikrotik support with a supout.rif, though I don't know...
by gerakon
Sat May 28, 2016 6:48 pm
Forum: General
Topic: Users disappear after logout
Replies: 6
Views: 1051

Re: Users disappear after logout

You aren't using the SafeMode option in Winbox are you? I don't know what the equivalent is in SSH. I imagine you would have noticed if you were doing that but the behaviour seems about right.... Maybe a newer version of Winbox with the old RouterOS version and there's a bug with the SafeMode option...
by gerakon
Fri May 20, 2016 8:46 pm
Forum: General
Topic: RB3011UiAS-RM and HAP AC availability
Replies: 0
Views: 932

RB3011UiAS-RM and HAP AC availability

I've been looking for RB962UiGS-5H-US and RB3011UiAS-RM and have had difficulty finding them through my usual vendors. Does anyone know if there is a place to purchase them in the US? A few vendors had limited stock for a little while but now it seems they have run out and don't expect more for over...
by gerakon
Sun Mar 06, 2016 3:20 pm
Forum: Beginner Basics
Topic: VLAN trunks without bridges?
Replies: 5
Views: 3772

Re: VLAN trunks without bridges?

Once you said it, it seemed obvious and it worked great. Thanks. If it helps anyone else, here is what I added/changed. /interface bridge port add bridge=bridge1 interface=vlan10 add bridge=bridge1 interface=wlan1 add bridge=bridge1 interface=wlan2 /interface wireless set [ find default-name=wlan1 ]...
by gerakon
Sat Mar 05, 2016 4:07 pm
Forum: Beginner Basics
Topic: VLAN trunks without bridges?
Replies: 5
Views: 3772

Re: VLAN trunks without bridges?

I've got the ethernet ports working the way I'd like, but now I'm trying to add the 2Ghz interface to vlan 10 but so far nothing I've changed seems to work. When I connect, my phone just says obtaining IP address and then fails. I'm not exactly sure what vlan-mode should be set to, but "no tag" and ...
by gerakon
Wed Mar 02, 2016 8:00 pm
Forum: Beginner Basics
Topic: VLAN trunks without bridges?
Replies: 5
Views: 3772

Re: VLAN trunks without bridges?

That's exactly what I was looking for. It seems like that would be good info to have in the VLAN section on the wiki. I got the VLAN config onto the hap ac lite and at least one of the trunks seams to be working but the first access port I've tried doesn't work. I had very limited time to work on it...
by gerakon
Sun Feb 28, 2016 4:39 pm
Forum: Beginner Basics
Topic: VLAN trunks without bridges?
Replies: 5
Views: 3772

VLAN trunks without bridges?

I have a HAP AC Lite that I would like to have 2 VLAN trunks with VLAN IDs 10,20,30,40 on ether1 and ether2. I would also like to have an access port for VLAN 20 on ether3 and an access port for VLAN30 on ether5. I tried to do this without bridges but it didn't seem to work. Most of the info on the ...
by gerakon
Sat Feb 27, 2016 11:27 pm
Forum: General
Topic: SIP phones - No audio between extensions. Inbound and outbound calls are fine.
Replies: 12
Views: 1314

Re: SIP phones - No audio between extensions. Inbound and outbound calls are fine.

Just thought I would post an update. The ISP changed the DSL modem and all of the SIP calls started working correctly. Sorry I don't have the models. I believe the new one is an Arris.
by gerakon
Tue Oct 27, 2015 7:36 pm
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

It does seem a little counter intuitive, but I think that if you are ever going to trunk all of your VLANs to another device they all need to have the same master port so that the switch chip is handling things instead of the CPU. I plan to trunk all of the VLANs to something like the RB850x2 and ha...
by gerakon
Tue Oct 27, 2015 3:18 pm
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

I get DHCP and internet now works from VLAN30/ether24. Thankyou everyone. Upgraded to 6.32.3. The drop invalid vlans rule was missing so I put it back. I also put in a firewall rule to drop anything from vlan30 to anything other than wan. When I plug into ether24 and run wireshark I'm still seeing A...
by gerakon
Tue Oct 27, 2015 3:14 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

Sorry, it looks like when I pasted the lines from skuykend it didn't add switch1-cpu to VLAN30. I will test further, but I'm short on time at the moment. Just didn't want anyone to spend more time on this. I am interested in why I was seeing broadcasts from the untagged network....
by gerakon
Tue Oct 27, 2015 2:59 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

I tried attaching a capture file, but no matter the extension it says invalid extension on the forum when I try to attach it to the post. Even happens with no extension. The packet capture on port 24 from a second USB NIC on my computer shows broadcasts from devices on the untagged VLAN which seams ...
by gerakon
Mon Oct 26, 2015 6:56 pm
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

Sorry I missed posting that. Here it is. I will reboot over lunch and see if that does anything. I have also tried 2 different client devices. and neither one showed an IP in Leases on the router or on the windows device. Otherwise backup the config and reset? I can probably do that tonight. /ip dhc...
by gerakon
Mon Oct 26, 2015 1:10 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

Can anyone see what I'm doing wrong?
by gerakon
Wed Oct 21, 2015 3:53 pm
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

I added both of those lines and still not getting an IP.... I also tried /interface ethernet switch unicast-fdb flush from the wiki. This Untrusted network I just want to get access to the internet and not talk to anything else on my trusted networks. I'm just playing with port 24 to learn VLANs, th...
by gerakon
Wed Oct 21, 2015 5:01 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

Re: First attempt at making VLANs work in Router OS

Should also mention it is a CRS125-1S-RM running 6.32.2
by gerakon
Wed Oct 21, 2015 4:55 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1514

First attempt at making VLANs work in Router OS

I've mostly followed the instructions here http://wiki.mikrotik.com/wiki/Manual:CRS_examples When I plug into ether24, I expect to get an IP from dhcp_poolUntrusted but I don't get an address. I've gotta be missing something easy. Also, there seems to be quite a bit of documentation for the CRS seri...
by gerakon
Sun Sep 06, 2015 4:55 am
Forum: General
Topic: Block GMAIL
Replies: 19
Views: 6271

Re: Block GMAIL

I guess I also made the assumption that you are using your router IP address as primary DNS server either statically or configured in your DHCP server.
by gerakon
Sun Sep 06, 2015 4:50 am
Forum: General
Topic: Block GMAIL
Replies: 19
Views: 6271

Re: Block GMAIL

And you'll have to restart the computer or run the following from the command prompt to clear cached DNS


Vista and Window 7: Click “Start” and type the word “Command” in the Start search field. ...
In the open prompt, type “ipconfig /flushdns” (without the quotes).
by gerakon
Sun Sep 06, 2015 4:47 am
Forum: General
Topic: Block GMAIL
Replies: 19
Views: 6271

Re: Block GMAIL

Should go something like this /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=127.0.0.1 name=mail.google.com /ip firewall filter add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input dst-port=53 in-interface=ethe...
by gerakon
Sat Sep 05, 2015 6:23 pm
Forum: Announcements
Topic: Newsletter 67
Replies: 25
Views: 8827

Re: Newsletter 67

It looks like the wAP can replace the cAP entirely? Dual chain instead of single, 802.3af/at instead of passive, and we can install outdoors. Are there any advantages to the cAP?
by gerakon
Sat Sep 05, 2015 5:22 pm
Forum: General
Topic: Block GMAIL
Replies: 19
Views: 6271

Re: Block GMAIL

Just tried it on another computer that hadn't visited mail.google.com before the rule was in place and it gave error "Secure Connection Failed" in Firefox.... so it looks like it should work.
by gerakon
Sat Sep 05, 2015 4:50 pm
Forum: General
Topic: Block GMAIL
Replies: 19
Views: 6271

Re: Block GMAIL

/ip firewall filter add action=drop chain=forward comment="drop gmail" content=mail.google.com Seems like it should work..... I just tried it, moved it to the top of my firewall list and am getting hits on the rule, but I'm still able to login, view email list and view messages. Maybe it's works by...
by gerakon
Sat Sep 05, 2015 4:02 pm
Forum: General
Topic: Block GMAIL
Replies: 19
Views: 6271

Re: Block GMAIL

Have you tired bkuhn's suggestion? It should work just fine.
by gerakon
Fri Sep 04, 2015 9:05 pm
Forum: Beginner Basics
Topic: New Mikrotik Config
Replies: 22
Views: 1780

Re: New Mikrotik Config

The out-of-box config would've been adequate

Hmm, yep I guess I made that more difficult than it needed to be..... Thanks Van9018
by gerakon
Fri Sep 04, 2015 8:52 pm
Forum: Beginner Basics
Topic: New Mikrotik Config
Replies: 22
Views: 1780

Re: New Mikrotik Config

I think we're maybe missing a few details. This 192.168.0.0./16 makes it look like your WAN and LAN subnets overlap which is going to cause problems for the router. Usually a /24 (255.255.255.0) on the LAN side is normal. If 192.168.0.2 is your DSL modem (or router at the ISP) you are doing double N...
by gerakon
Fri Sep 04, 2015 3:13 pm
Forum: Beginner Basics
Topic: New Mikrotik Config
Replies: 22
Views: 1780

Re: New Mikrotik Config

Yes remove that switch. Yes port 2 is still used as normal. Anytime you make configuration changes to port 2 it will affect all ports slaved to it (as far as I know). If you disable port 2 it disables all of the slaves as well. (I found that out the hard way). I don't think NAT is usually used on a ...
by gerakon
Fri Sep 04, 2015 2:25 pm
Forum: Beginner Basics
Topic: New Mikrotik Config
Replies: 22
Views: 1780

Re: New Mikrotik Config

Your wan port should typically not be bridged or switched with your lan ports. Bridging is CPU intesive. Port mirroring should be unnecessary unless you want to sniff/monitor traffic with something like Wireshark. Here is the Wiki page on Mirroring. http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_F...
by gerakon
Tue Sep 01, 2015 2:30 am
Forum: General
Topic: Preventing IPSEC VPN Brute forcing
Replies: 3
Views: 1538

Re: Preventing IPSEC VPN Brute forcing

This isn't exactly what you asked for, but works in some installations (usually site to site tunnels) where you know where your traffic is coming from. /ip firewall filter add chain=input protocol=ipsec-esp src-address-list="VPN Addresses" add chain=input port=1701,500,4500 protocol=udp src-address-...
by gerakon
Mon Aug 31, 2015 10:48 pm
Forum: General
Topic: mikrotik routerboard 2011 l-rm cannot send/smtp big email
Replies: 1
Views: 326

Re: mikrotik routerboard 2011 l-rm cannot send/smtp big email

Do you suspect the router? Why? Usually attachment size limits are imposed by the mail server. Do you have an error message?
by gerakon
Fri Aug 28, 2015 4:35 pm
Forum: General
Topic: SIP phones - No audio between extensions. Inbound and outbound calls are fine.
Replies: 12
Views: 1314

Re: SIP phones - No audio between extensions. Inbound and outbound calls are fine.

Yes I was able to run a capture again and sent it to the SIP provider (he was going to pass it on to one of their engineers). Now there is a hold up on the customers end.... possibly indefinitely. If they want me to continue working on it at some point I will post back any new findings. Thanks for y...
by gerakon
Thu Aug 27, 2015 4:57 pm
Forum: General
Topic: SIP phones - No audio between extensions. Inbound and outbound calls are fine.
Replies: 12
Views: 1314

Re: SIP phones - No audio between extensions. Inbound and outbound calls are fine.

BTW, enabling the SIP helper for ports 5060 and 5061 with Direct Media = yes might help. Thanks for the suggestion docmarius. SIP helper was enabled when this issue was first brought to our attention. Looking at the suggestions here on the forums and on other sites as well as our SIP provider, many...
by gerakon
Wed Aug 26, 2015 6:47 pm
Forum: General
Topic: SIP phones - No audio between extensions. Inbound and outbound calls are fine.
Replies: 12
Views: 1314

Re: SIP phones - No audio between extensions. Inbound and outbound calls are fine.

Yes I tried that too. It's at the bottom of the firewall config in the first post. I also disabled h323 because the SIP provider suggested disabling h225 which as far as I can tell is a subset of h323. I will retry the packet capture with port filter instead of IP filter and see if I get anything di...
by gerakon
Wed Aug 26, 2015 5:36 pm
Forum: General
Topic: SIP phones - No audio between extensions. Inbound and outbound calls are fine.
Replies: 12
Views: 1314

Re: SIP phones - No audio between extensions. Inbound and outbound calls are fine.

Here is the LAN configuration. I'm not doing anything special here. /interface bridge add admin-mac=Removed auto-mac=no mtu=1500 name=bridge-local /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" disabled=no distance=indoors frequency=2437 l2mtu=2290 mode=a...
by gerakon
Wed Aug 26, 2015 3:34 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 188128

Re: Cloud Hosted Router

CHR running on XEN
So is this a fix in 6.32rc5? I didn't find a place to download 6.32rc5. I tried
http://www.mikrotik.com/download/share/chr_6_32rc5.vmdk

but just got sent back to http://www.mikrotik.com/
by gerakon
Wed Aug 26, 2015 3:21 pm
Forum: General
Topic: SIP phones - No audio between extensions. Inbound and outbound calls are fine.
Replies: 12
Views: 1314

Re: SIP phones - No audio between extensions. Inbound and outbound calls are fine.

Yes we did try a packet capture, but I didn't think of trying to capture on the external interface. I'm not real well versed in Wireshark (I've used it once or twice a year for the past 10 years) so I captured with the following settings but the SIP provider said they didn't see a lot of the expecte...
by gerakon
Tue Aug 25, 2015 11:15 pm
Forum: General
Topic: SIP phones - No audio between extensions. Inbound and outbound calls are fine.
Replies: 12
Views: 1314

SIP phones - No audio between extensions. Inbound and outbound calls are fine.

We have an externally hosted SIP provider. Inbound and outbound calls work fine. Calls between extensions at one site get no audio between each other. I'm working with a technician from the SIP provider. They usually work with Cisco and usually fix this problem with the following example configurati...
by gerakon
Thu Aug 20, 2015 3:58 pm
Forum: Beginner Basics
Topic: How to block netcut in mikrotik ..
Replies: 1
Views: 2532

Re: How to block netcut in mikrotik ..

I haven't heard of nutcut before looking into it this morning, but I found this old thread with a possible solution.
http://forum.mikrotik.com/viewtopic.php ... of#p335112
by gerakon
Tue Aug 04, 2015 8:13 pm
Forum: Virtualization
Topic: XenServer 6.5, RB44Ge High CPU utilization on Ethernet
Replies: 4
Views: 3103

Re: XenServer 6.5, RB44Ge High CPU utilization on Ethernet

Hi Massimo, Thanks for the info. I'll keep it in mind, but I think I'll wait and see how this CHR thing works. If I get brave, I'll throw the RB44Ge in XENServer at the office (SuperMicro mainboard) and see if I can get the IOMMU/PCI passthrough to work. I would think it should use the native Router...
by gerakon
Mon Aug 03, 2015 9:26 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8937

Re: CRS226-24G-2S-RM ether drops intermittent

Has this issue been fixed? I'd like to purchase a CRS226-24G-2S+RM for the SFP+ ports.
by gerakon
Thu Jul 30, 2015 9:30 pm
Forum: General
Topic: Is SXT 2 or SXT Lite2 appropriate for connecting outdoor cameras
Replies: 5
Views: 577

Re: Is SXT 2 or SXT Lite2 appropriate for connecting outdoor cameras

@Jebz Thanks I hadn't noticed that there was a license level that didn't include AP before. I was leaning towards the RBSXT-G-2HnD anyway but still good to know. @Normis Thanks, Yes i knew phone antennas sucked, but it's nice to have a range to go with it. The phones will very likely be in the area ...
by gerakon
Thu Jul 30, 2015 3:37 am
Forum: General
Topic: Is SXT 2 or SXT Lite2 appropriate for connecting outdoor cameras
Replies: 5
Views: 577

Re: Is SXT 2 or SXT Lite2 appropriate for connecting outdoor cameras

Thanks for the information. That website looks helpful, though I was thinking more of just having 1 sector AP and have the camera, tablets and phones connect directly to the sector AP rather than using 2 sector APs. I'm unsure if that will work or not. I'll see if i can find a salesperson, though I ...
by gerakon
Wed Jul 29, 2015 6:05 pm
Forum: General
Topic: Is SXT 2 or SXT Lite2 appropriate for connecting outdoor cameras
Replies: 5
Views: 577

Is SXT 2 or SXT Lite2 appropriate for connecting outdoor cameras

Is SXT 2 or SXT Lite2 appropriate for connecting outdoor cameras and maybe a few tablets and phones? I have a steel building that I can mount an AP on the outside. The 1st camera would be mounted on a light pole about 200ft away. There maybe more cameras mounted up to 500ft away if possible at some ...
by gerakon
Wed Jul 29, 2015 5:53 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 188128

Re: Cloud Hosted Router

XenServer 6.5 can import the VMDK image of CHR that Normis posted. But I got the kernel failed error above. I installed the x86 6.30.1 on XenServer but got high cpu usage whenever there was 10Mb of ethernet traffic. You can see here http://forum.mikrotik.com/viewtopic.php?f=15&t=98882 You have to se...
by gerakon
Wed Jul 29, 2015 3:44 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 188128

Re: Cloud Hosted Router

Will this work on XenServer 6.5? I imported the vmdk, gave it 512Mb RAM and got the following error while booting.

Booting Kernel Failed: Invalid argument

Is there something special I need to do?
XenROSCHR.jpg
by gerakon
Wed Jul 29, 2015 12:41 am
Forum: Virtualization
Topic: XenServer 6.5, RB44Ge High CPU utilization on Ethernet
Replies: 4
Views: 3103

Re: XenServer 6.5, RB44Ge High CPU utilization on Ethernet

I threw another hard drive in the server and installed RouterOS directly instead of virtualizing through XenServer and my ethernet utilization problem went away. Now I see that Mikrotik has announced/released a test version of Cloud Hosted Router. I wonder if this will run on XenServer? I'll have to...
by gerakon
Fri Jul 24, 2015 5:45 am
Forum: Virtualization
Topic: XenServer 6.5, RB44Ge High CPU utilization on Ethernet
Replies: 4
Views: 3103

XenServer 6.5, RB44Ge High CPU utilization on Ethernet

I've installed Xenserver 6.5 on a Gigabyte GA-MA770-UD3 Rev 1 mainboard, AMD Phenom 1035 6 Core, 5Gb RAM. I created a VM with 1 processor, 512Mb RAM, added the first 3 interfaces from an RB44Ge and converted the config from my RB2011 to match the ethernet ports on the VM. I was surprised that XenSer...
by gerakon
Wed Feb 25, 2015 12:31 am
Forum: General
Topic: SSTP VPN - certificate cannot be verified
Replies: 1
Views: 5544

SSTP VPN - certificate cannot be verified

I was hoping to post this as a tutorial when I got it figured out. but I'm still having a little trouble. Below are the steps I've gone through to get to this point. When I attempt to connect to the VPN I recieve the following error message on Windows 7 Error 0x80096004: The signature of the certifi...
by gerakon
Mon Jun 16, 2014 9:16 pm
Forum: Scripting
Topic: Script to telnet to Engenius accesspoint and reboot
Replies: 4
Views: 3892

Re: Script to telnet to Engenius accesspoint and reboot

Expect looks fairly easy. The only thing that maybe I wasn't as clear as I should have been is, will I be able to create this script, upload it to the Mikrotik and have the Mikrotik run it on a schedule every night? Does Mikrotik support Expect scripts? The site with the Mikrotik and the Engenius Ac...
by gerakon
Sun Jun 15, 2014 8:39 pm
Forum: Scripting
Topic: Script to telnet to Engenius accesspoint and reboot
Replies: 4
Views: 3892

Script to telnet to Engenius accesspoint and reboot

I am wondering if it is possible to create a script to telnet from a RouterOS device to another device (Engenius in this case) and issue a reboot command via scheduled script. I would like to reboot about 10 Engenius APs daily at 3AM. The built in Engenius autoreboot feature is horrible. It only all...
by gerakon
Fri Jun 13, 2014 6:45 pm
Forum: Beginner Basics
Topic: How do I port forward and limit connections to specific IPs
Replies: 2
Views: 1655

Re: How do I port forward and limit connections to specific

Thank you for the reply. Sorry I didn't get a chance to try it sooner, but it doesn't seem to work. [admin@PKRB2011] > add chain=dstnat dst-address=206.206.206.7 protocol=tcp dst-port=5005 src-address-list=camerausers protocol=tcp dst-port=5005 action=dst-nat to-addresses=172.16.14.10 to-ports=5005 ...
by gerakon
Sat May 24, 2014 9:47 am
Forum: Beginner Basics
Topic: How do I port forward and limit connections to specific IPs
Replies: 2
Views: 1655

How do I port forward and limit connections to specific IPs

I have a camera and a couple of other services that I would like to port forward, but would also like to limit external to connections to specific IP addresses (my cell providers IP network). Can I do the following? Is there a certain order that the add chain options should be specified? Is there a ...
by gerakon
Sat May 24, 2014 9:44 am
Forum: Beginner Basics
Topic: Remove - Double Post
Replies: 0
Views: 366

Remove - Double Post

Edit - Removed double post - Can a mod delete if that's the way it works on this forum?